Friday, June 25, 2004

terminology proposal

i hear a lot about people's machines becoming infected with spyware or infected with trojans or infected with adware or ...

i'm sorry, since when are these things considered infectious? if i connect to a network that has a spyware infected machine on it, is my computer going to become infected? how about if i share disks/programs/word documents/etc with such a machine? no, of course not...

VIRUSES infect, not spyware or adware or whatever... i realize people need a way to indicate that very bad software has been installed on their system but lets not confuse the issue by using terms that already have a different meaning in this field, lets try a new word shall we?

we could use "contaminate"... 'my machine became contaminated with spyware'...

but maybe "contaminate" is too fancy (thus "afflict" is also out of the question) or maybe just not pejorative enough... then the answer is simple - the word we want is "poison"... 'my machine has been poisoned with spyware'... that conveys that something noxious has gotten onto the system and it is quite pejorative...

Wednesday, June 23, 2004

false authority syndrome finds it's way to The Register

in reference to the following artice:
Beastie Boys CD installs virus | The Register

the author of this article is Thomas C. Greene... consider the byline:

[quote]
Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.

[/quote]

there seems to be every reason to take his word as gospel, doesn't there... one problem, the article he wrote for The Register indicates that he clearly has no idea what viruses, worms, or trojan horse programs (3 major classes of malware) are...

the DRM software installed by the new Beastie Boys album is not a virus for 2 reasons... most importantly, it does not self-replicate - it does not make copies of itself, copies aren't placed on your existing music CD's, the installer is not (as far as i can tell) get placed on any new CDR's you happen to burn - the most fundamental requirement for classifying something as a virus is that that something has to self-replicate (this has been true ever since the invention of computer viruses by Fred Cohen in 1983, and you can refer to his numerous works on the subject if you don't believe me)... second, it does not infect any host program - by which i mean that it does not attach itself to any program in such a way that when an attempt is made to execute the host program the DRM software does not get executed as well as or instead of the host program... infection of host programs is generally regarded as a requirement for calling a self-replicating program a virus instead of a worm (another kind of self-replicating malware) or something else...

so it's not a virus because it doesn't self-replicate and it doesn't infect host programs...

Mr. Greene makes further errors in his justification of calling it a virus rather than a worm... there is an argument (that is not particularly well thought out) that says that viruses require user intervention and worms do not - however that argument is meant to be applied to the way the virus or worm gets executed, not how it gets copied (as Mr. Greene seems to think)... clearly, as the DRM software autoexecutes, the DRM software in question better suits the classification of worm under this (dubious) argument...

what the DRM software in question actually is, is the payload of a trojan horse - a trojan horse being something that advertizes itself as performing some desirable function but does something bad in addition to or instead of that desirable function... even a passing familiarity with the field of malware should have made this readily apparent to Mr. Greene....

the legal implications are pretty much the same, though... that much he got right...

Tuesday, June 22, 2004

and now for a lesson in spotting snake oil

take a look at

CyberScrub AntiVirus 1.0 - FAQ

specifically the paragraph:

[quote]
Does CyberScrub AntiVirus have all the “bells and whistles” of other products?
No, those in most cases are just efforts to try to stand out from a field of very similar products. CyberScrub AntiVirus is designed to “install and forget”, providing a secure environment from viruses, worms, Trojans and more. All major features are included: you can have CAV run in the background providing constant protect or you have the ability to scan selected files, folders or drives upon demand.

[/quote]

did you notice the words "install and forget"? they were so helpful they even put it in quotes to help it stand out... anti-virus software (theirs included) is not some kind of magical security dust that you can sprinkle on your computer and have it protect you without any further effort on your part... they cannot actually deliver on the promise of an anti-virus that's so good all you need to do is "install and forget", no one can... further, by promoting the idea that they can do so they are creating a false sense of security in their customers... in spite of the fact that they are offering a good anti-virus scanning engine, they are contributing to the virus problem instead of being part of the solution by these types of actions...

review question 1: what is it called when a salesman makes impossible claims?
answer: "snake oil"

then there's this paragraph:

[quote]
Can I use several antiviral programs at the same time?
If you are talking about Scanners then YES, you can first check a file with one of them, then with another. As for Monitors (resident online scanners) you should be warned that two or more active resident Monitors working simultaneously can cause conflicts. In most cases this leads to the false positives or unstable working. So it is not recommended to use two Monitors at the same time.
[/quote]

now this is a subtle point, i know, but a resident scanner and an online scanner are two completely different things... a resident scanner is one that stays resident in memory for as long as your computer is on, scanning things on your computer as you access them, trying to protect you from triggering an infection... an online scanner is one that runs in the context of your browser and just does a scan of your entire system and then quits when it is done... there's no such thing as a "resident online scanner"... mixing up terms like this makes me think they don't know what they're talking about - how about you?

review question 2: who throws technical terms together without regard for meaning in order to confuse the audience with credible sounding babble, thereby creating the illusion that they know far more about the subject than the audience?
answer: snake oil salesmen

but wait, there's more!

check out this thread that google has kindly archived for posterity (cyberscrub thread) - you'll find the cyberscrub folks pretending to be satisfied cyberscrub customers! those wacky cyberscrub people...

Thursday, June 17, 2004

let's play the name game

ok i'll preface this by saying this was sparked by a debate currently going on in alt.comp.virus.source.code...

if you don't know already, anti-virus companies generally do not call a virus by the name the virus' author gave it... they rename the virus... that renaming results in something you may have seen before - different companies issuing virus alerts for a particular virus with different names...

there are those that say it makes no sense to do this... they say it's stupid, it pisses off the virus writers and it creates confusion among end users...

however, there are some important points to realize:
  1. not all viruses are named by their author, so these clearly require naming by the anti-virus vendor...

  2. not all author supplied names are unique (for a variety of reasons) and so such viruses clearly need to be renamed to avoid confusing them with previous viruses that have the same author supplied name...

  3. some author supplied names refer to people, places, companies or brands and the anti-virus companies really don't want to be issuing alerts for the george bush virus or the corn flakes virus - it puts them in a difficult legal position...

  4. some author supplied names have political, religious, or obscene references in them, and that's also something anti-virus companies don't want to put into virus alerts for similar reasons...

so clearly some viruses have to be renamed... but do all of them have to be renamed?

it's been suggested that you could simply use your best judgment to tell if the author supplied name was suitable or not - maybe even use a search engine since obviously a person isn't going to see the significance of many references from far off lands... the thing is, a search engine isn't perfect in that regard either... more importantly, though, a search engine is bound to turn up some kind of reference (whether the virus author intended it or not) for all sorts of possible names so in practice the anti-virus researchers would probably find themselves renaming most viruses anyways... and should it really be the anti-virus company's job to go to the trouble of verifying the suitability of the name provided by the author? is that really the most productive use of their time and your money? i don't think so...

there is a valid complaint, however... sometimes the renaming process gets personal, the renamer chooses a name specifically to piss of the virus author (some have even bragged about doing this)... that is unprofessional and companies should not tolerate that kind of behaviour from their employees - they shouldn't be picking fights with virus writers, they should be doing their best to avoid contributing to any of the virus writers' possible motives for writing viruses...

there is another valid complaint... not all the companies seem to rename a given virus to the same new name, and this certainly does cause confusion... to a certain extent it's understandable - if 2 researches in different companies are trying to decide on a new name for a virus at about the same time (give or take a couple of days) then they're bound to decide on different names... hopefully those names get changed later to be more consistent, and i'd certainly like to see that happen as fast as possible (i'd like to see anti-virus companies making a visible effort to minimize the confusion associated with this sort of thing)... sometimes the names don't get changed at all, though, and for the end user that is simply not acceptable... if you find your anti-virus vendor doing that, vote with wallet, make your feelings heard where they'll feel it the most...

"Certified virus free" = snake oil

have you seen that message appended to emails or newsgroup postings that says it's "certified virus free"? did you believe it?

well, it's snake oil... just as sure as claims of 100% protection from all past, present, and future viruses would also be snake oil...

think about what it means - it's basically guaranteeing that there are no viruses present... ignoring the fact that you can't prove a negative, in order to say with certainty that there are no viruses present the scanner would have to be able to find all viruses in the first place and that's just impossible... detecting all viruses is reducible to the halting problem, an intractable problem in computer science, and this has been known for nearly 20 years...

so that message you see getting attached to emails and newsgroup postings (whether your own or someone elses) is false advertizing... the company behind it is lying to you... however good the product may be, it is not capable of making the determination that message implies and the company behind it should know better...

now you might be thinking "but kurt, it's just a little white lie to help boost sales. it's harmless."... but it is not harmless, it creates a false sense of security... infected emails can and have been sent out with such messages on them - in fact a virus or worm can easily put that message at the end of emails it sends out and there would be no way to tell it from an authentic 'certification'...

i'm tempted to be moderate; to suggest, as others have, simply turning that feature off... but i'm not really known for giving in to temptation - the feature is dangerous, it promotes falsehoods that contribute to over-reliance on anti-virus technology instead of practicing broader secure computing habits (safe-hex)... the only thing i can suggest is dumping such a product in favour of one that is more intellectually honest - at least until the company changes it's ways (market pressure, after all, is what really promotes change in the industry)...

ta da!

well, i pretty much knew this was coming... i knew i was going to create an anti-virus blog, i just didn't know when...

the time is now apparently...

criticisms, explanations, wishlists, and assorted rants to follow soon...