Wednesday, August 09, 2006

the blue pill leaves a foul aftertaste

yes, i know i've blogged about it before a couple of times already but time has passed and events have unfolded...

black hat is over, joanna rutkowska's presentation is complete and the media just lapped it up... microsoft expressed interest (and why wouldn't they when it bypassed protection mechanisms in their latest and greatest and most secure OS ever?) and probably others too...

in fact, at least one (perhaps more) anti-virus vendor has expressed interest in obtaining more information and that's when everything changed...

see, it was made clear way back in june that the blue pill wouldn't be available for download by the public and i thought to myself well gee that's a good thing... i mean it's clear that if it were freely (as in speech) available that the bad guys would adapt it and use it for their own purposes (if/when 64bit amd platforms become a significant hardware base)... it sounded very promising ethically, it seemed like the people holding the cards (coseinc) were going to be responsible (a stark contrast with so much of what goes on in the stealthkit/rootkit domain)...

so imagine my surprise and disappointment to read that in order for anti-virus companies to get additional information they'll have to pay money... yes, that's right, av companies are expected to pay for access to malware... as if malware creators don't already have enough of a financial incentive these days... by paying for malware, anti-virus companies would be giving malware creators (academic or otherwise) more reasons to create even more malware... that is not something av companies should ever be contributing to as it makes them part of the problem rather than part of the solution...

it's not like the malware creators were simply discovering an existing flaw, the potential for malware doesn't depend on flaws and joanna rutkowska made it clear that the blue pill doesn't depend on any flaws so the growing (and contraversial) practice of paying vulnerability researchers for vulnerability information (on the basis that they've done useful work for the vendor whose product they found flaws in by finding those flaws so they can be fixed) doesn't apply...

thankfully the folks at authentium did the right thing... i hope more do the same and come out publicly against the practice of paying for malware... and for those that don't, just remember what happened to the reputation of a certain someone who bought virus collections way back when...

0 comments: