Tuesday, December 06, 2005

the 'behaviour monitor' fairytale

y'know, i'm starting to get a little sick and tired of the recent resurgence of
anti-virus software looks for suspicious behaviour so why didn't/couldn't it stop X
and
anti-virus software should look for suspicious behaviour so that it can protect us against Y


it's not a new idea - not by a long shot... it's more than 10 years old and used to be known as behaviour blocking...

way back in the day there were some programs that did this sort of thing (notably thunderbyte anti-virus) but the idea lost favour for some very good reasons...

the first is that if you allow the malware to run (which you need to do in order to take note of it's behaviour) then the malware can simply shut down the behaviour monitor and go on about it's merry malware way without having to worry about raising any alarms... this wasn't just a theoretical possibility, it happened... then it happened again, and again and again... even today, despite the lack of widespread use of this technique, viruses and worms and trojans and all sorts of other malware routinely are programmed to kill large lists of security-related processes... clearly, once the malware is running on the same cpu as your security software the window of opportunity for that security software to reliably stop the malware is closed...

another very good reason the idea fell out of favour is the false alarm problem... the software would have to decide whether or not to raise an alarm based on the number and severity of suspicious actions a suspect program takes - the lower the threshold is set the more sensitive it is to suspicious actions and the more likely it is to raise an alarm on something that is completely safe - the higher the threshold is set the less sensitive it is to suspicious actions and the more likely it is to let something bad slip through... letting bad things through is bad enough, but raising alarms on safe programs when the user has basically no real way to determine if the behaviour monitor's suspicions are warranted or not wastes the user's time on needless research and recovery - not to mention that most user's first instinct when faced with an alarm from their security software is something closer to panic than to reasoned analysis...

there are still a few products out there that use behaviour monitoring, but in general they're obscure products... the problem of being shut down by malware is mitigated by that obscurity (security by obscurity is no security at all, however) as the malware writers won't think to include those products in the large lists of processes to kill... the problem of false alarms is dealt with by - well, perhaps there's a good reason they remain obscure products (perhaps the problem isn't dealt with all that well at all)...

although behaviour monitoring does have some strength in areas where contemporary scanning technology is weak (new malware), it's weaknesses more than cancel out that strength...

(and yes, i'm fully aware that one way to deal with the problem of being shut down by the malware is to run the malware in a virtual environment instead of on the physical machine, but then we're no longer talking about simple behaviour monitoring - that's sandbox technology)

digital rights malware

you might think that there's a legitimate need for DRM... you might think that DRM gives users options and flexibility... you might think that the Sony BMG DRM rootkit fiasco was an isolated incident that would never happen again...

you'd be wrong...

digital rights management, or more accurately digital rights malware is a technology whereby people who provide the user with content exercise what they feel is their right to take some measure of control over the user's electronic equipment...

it doesn't prevent copying (it can't prevent copying), at best it prevents using copies on machines that the content providers (or DRM providers acting as agents of the content providers) don't think the user should be allowed to use the copies on... i say at best because it totally ignores the concept of the darknet which effectively renders copy controls useless as soon as one person finds a way around the controls...

DRM takes control of the user's equipment - not to the same degree (usually) as a remote access trojan, but it's still taking some control and it is doing so without the authorization of the user... even under those circumstances where the full extent of the DRM's behaviour is revealed in an End User License Agreement (EULA), the EULA will go unread (as they all do) because EULA's are so full of legalese that the ordinary person can't actually understand them...

DRM can't work without treating the user as an opponent, it's entire reason for being is to prevent the user from doing things that the user wants to do... there can be no legitimate need to install software on user-owned computers that acts against the user's interests unless you condone a copyright police state...

copyright should be protected by law, not technology, but the content providers don't trust the law to do that so they turn to DRM in order to gain more control... then they lobby for anti-circumvention laws to protect their DRM, effectively legitimizing the control they're grabbing in the eyes of the law and shifting the authority to make copyright policy away from the government and towards content providers (with all their vested interests)... but of course they don't trust the laws that protect DRM anymore than they do the laws that protect copyright so they employ additional offensive technology to protect their DRM as happened in the Sony BMG debacle, and as will continue to happen (though with better PR) and possibly even escalate... it has to keep happening or the content providers have to start relying solely on the law to provide protection, thereby giving up the control they so obviously desire...

ultimately what it comes down to is control... DRM is meant to usurp the user's (and, when combined with anti-circumvention laws, the government's) control and therefore is much deserving of the malware classification (even if anti-virus/anti-spyware/anti-malware vendors can't or won't deal with that particular class of malware (yet)...

the halting problem - why you should care

the halting problem is very technical and i'm certainly not going to do the technical aspects of it any justice here (and the technically minded really aren't the audience i'm writing this for anyways)... the short version is that the halting problem tells us what is not possible in the computing world...

the basic idea goes like this: there is no set of steps a person or computer can follow that will always determine if an arbitrary program will halt (terminate/exit/stop running)...since following steps (instructions) is all a computer can do, this is significant for computers and computer software...

the reason this is interesting and useful to us is that we can apply it to other things - by that i mean that if we can show that doing X is reducible to the halting problem then we've effectively proven that it is impossible to do X...

now, lets follow a simple progression... creating a set of steps that will always determine if an arbitrary program performs function Y is reducible to the halting problem - all you have to do is say that function Y is a halt function and you'll see it's trivially true... there's nothing special about code that causes a program to exit that would make it difficult to find, the problem is determining if it will ever get executed...

creating a set of steps that will always determine if an arbitrary program is a virus is redcuible to the halting problem.... to be a virus the program has to perform the function of self-replication and since you can't always determine (by following a set of steps) if an arbitrary program performs that function, therefore you can't always determine if that program is a virus...

creating a set of steps that will always determin if an arbitrary program performs any other virus-like functions is reducible to the halting problem... i'm sure by now you can guess why...

this probably looks pretty bad... it seems like we can't tell very much at all about arbitrary programs - and not only is that absolutely true, that's also the point... that's why the halting problem is important; it shows us what can't be done so that we can separate the impossible claims from the possible ones, so that we can understand what is preventing anti-virus developers from finding all possible viruses, and so that when someone comes along and says "well why can't it just look at the code to find out what it does" we can know why that won't work... knowing what isn't possible is probably the best tool there is when it comes to weeding out the hype and identifying snake-oil in the anti-virus field...

Monday, December 05, 2005

SANS is distributing malware? wtf?

no, i'm not going to point you towards the URL to see that their malware analysis quiz includes real malware... i'm not going to raise the search profile of malware that is apparently still effective (by virtue of how SANS acquired it in the first place)...

i can, however, post a url to a featured quiz answer sheet for one of the previous quizes in order to illustrate the nature of some of the malware SANS is making available to the public...

thank you SANS for providing malware to the masses and for showing me what you're really made of... clearly you folks belong to the wrong-headed full-disclosure for everything mindset... maybe you should take some time out of your busy schedules and examine what the classical benefits are for full disclosure and whether those benefits are achievable in the malware field...

Friday, November 18, 2005

what's that so-called real story again?

bruce schneier spins a yarn quite well in his recent article on the sony DRM scandal so i'm not goint to bother making any kind of 'story' here...

read it... see if you can see what i see...

no, no, not the terminology misuse (that his own readers picked up on - in the industry it's that pesky cloaking business that makes something a rootkit, regardless of how bizarre that sounds)... no, he blames anti-virus companies for not detecting the rootkit sooner...

hello?!?! where was bruce almighty during that period, hmm?? where was his company counterpane and their managed security solution? didn't they detect anything??? we're talking managed security here, with actual people at the helm rather than the automatons that anti-virus software represents... i don't recall bruce raising the initial alarm, do you?

anti-virus software detects what it knows... how does it get to know something? by the people who make it being given samples or at least pointed in the right general direction as f-secure was...

how exactly were they going to get that information sooner than they did? ('chance' is the only way i can see that happening) and without that how were they supposed to detect it? are anti-virus companies supposed to sift through and analyze every line of code on the planet, and if so are we to believe audio CDs should have been high on their priority list?

and then, to go on and make the disingenious statement that that kind of protection is exactly what we pay anti-virus companies for when he knows damn well (writes about it, talks about it, made a business model out of it) that real security isn't as simple as installing software and expecting it to protect you, that it's a process, that it requires real people making intelligent and informed security decisions - i'm sure that made for good copy but it's still hipocrisy... people protect computers, the software is just a tool to help them do the job... and of course no security, no matter how good, is perfect...

anti-virus software cannot protect you from everything all the time... many of them have no anti-rootkit technology yet, and detection of phoning home is generally relegated to the software firewalls...

bruce appears to be too far removed from the anti-virus community (note, i'm not specifying the industry) to get it... i've been part of the community for well over a decade and the only person i know who even mentions his name is me... i suspect the security guru simply considers viruses to be a small niche in the overall security landscape, and that may be true but the devil's in the details and those are something he isn't displaying a firm grasp of here...

i'm no anti-virus apologist here, though... he did get one thing right, any av company that wasn't all over this when the new broke deserves a swift boot in the ass... f-secure shouldn't have been the only av company denouncing sony's move from the get-go...

Monday, October 10, 2005

what the Common Malware Enumeration really is

i was not the least bit impressed by what i read in the comments to Schneier on Security: Computer Malware to Have Uniform Names... clearly people don't understand what the CME is or what it will be able to do...

first and foremost it is NOT a new naming scheme, it won't replace existing names or displace existing naming conventions... anti-virus companies will continue to name viruses in exactly the same way as they have been - the Common Malware Enumeration won't change that... at best the CME will provide a well coordinated alias for malware of significant interest...

the CME will not solve the naming problem... the naming problem is a byproduct of the commercial anti-virus environment - many competing organizations working in parallel on their own products necessitates that they come up with names themselves in order to get signatures to their customers as quickly as possible... waiting for some centralized body to give the malware a standard name means that they'd be leaving their customers exposed to the threat without protection for longer (because of the "deconfliction" process) which would ultimately hurt their bottom-line...

the CME isn't necessarily going to improve the situation for users... not only are average users not going to be aware of what the CME is or what the CME number for a particular peice of malware can be used for, but it will likely have a similar effect on the anti-virus community that project vgrep had - it's presence will make naming consistency seem less important... it won't actually be less important, CME's will be numbers and thus will be next to unusable by real people except as an index to use when looking something up - names will still be used when discussing things or calling up tech support, etc... names are what people actually remember, not numbers, and with less motivation to be consistent with other organizations when it comes to naming the naming problem is likely to get worse instead of better...

this won't lead to better protection, it won't even guarantee less confusion... it'll be a big help to those of us who know what's what (and hopefully it won't go in the brain-dead direction project vgrep did by requiring registration in order to do lookups) but that's about it...

Tuesday, July 12, 2005

the importance of good definitions

Techdirt has an article on the recent attempts by a group of organizations to come up with an agreed upon set of definitions for spyware and adware... predictably, Techdirt gets it all horribly, horribly wrong...

the author feels that what the software does or doesn't do is immaterial - that any unwanted application that got on one's machine by unknown means should be classified as spyware... he's not the only one who feels that way but there's a BIG problem with this line of reasoning...

the problem is that classifying instances of software on the basis of how they make some nebulous real world group of users feel (which is essentially what the author's position boils down to) is ridiculously difficult on a number of levels... not only will countless millions be spent on navel-gazing exercises trying to divine whether a particular instance of software in a particular software bundle is going to be unwanted and unnoticed at install time by some fictional average computer user or one if his/her 3.2 kids, but countless millions more will be spent defending against a deluge of specious lawsuits on the grounds that each classification was arbitrary and prejudicial - ultimately leading to a system where the courts, rather than the industry decide which program is spyware and which isn't..

we're computer scientists, not mind readers - we don't deal with this eye of the beholder crap unless we absolutely have to - and in this case we don't have to... we already have an umbrella term for all bad software - it's "malware"... if we're going to classify software for anti-whatever purposes we need to do it based on functional definitions (definitions based on what functions the software performs rather than definitions based on guessing how users will react to it)... we already have one malware classification saddled with an eye of the beholder definition, it's known as the "trojan", and that non-functional catch-all definition has been the bane of anti-trojan detection for years and is probably the reason we've had to make so many other classifications because it's proven totally unworkable as a classification that people can agree upon... classification based on eye of the beholder type criteria excludes widespread agreement by definition...

functional definitions, on the other hand, are much more reasonable... no guessing is involved and legal defense is practically a non-issue - define something based on it's function and it becomes much more feasible to demonstrate that a particular thing belongs or doesn't belong in that class...

on reading the actual document that the group of organizations (the anti-spyware coalition) came up with i think that for the most part the definitions are reasonable but a little on the wordy side... adware, for example could be much more simply defined as any software that advertizes a product or service other than itself... likewise spyware can be defined as any software that surreptitiously collects information from the user's system and sends it back to a remote 3rd party...

they did miss the mark on rootkits again, but the most notable problem is their adoption of spyware as an umbrella term for just about all bad software... they justify this by saying that the public at large is calling it that but this is foolish; 2 years ago the public at large was calling all bad software viruses, 2 years in the future they'll be using yet another term... how will this system cope with that? better to ignore the foibles of the unwashed masses and simply strive for internal consistency... trying to accomodate terminology misuse by people who don't know what they're talking about will never work because the people who don't know what they're talking about will not be consistent over time - leaving those of us who do know what we're talking about having to guess what they're talking about regardless of how accomodating we try to be...

EDIT (07/19/2005): i retract what i said about their definition of rootkits - i don't know what i was looking at before but now it looks fine... turning spyware into an umbrella term is still bad though...

Monday, July 04, 2005

the end of anti-adware/spyware software

it seems like only yesterday that microsoft stepped into the anti-adware/spyware business and now it's probably going to collapse...

why? well, the thing about adware and spyware in the past was, despite being a pain in the ass to remove they were relatively easy to detect... stand-alone programs or dlls that are discrete and easily removed, that use various registry or other startup tricks to make sure the the adware/spyware runs also gives away their location...

unfortunately, just as our cyber-innocence was lost 20 some odd years ago by the advent of computer viruses, some of it's final vestiges that managed to stick around are again under siege by file infecting adware...

you're probably wondering why i would take such an alarmist stance on this, since i rarely do so... the reason is simple - existing anti-adware/spyware technologies simply can't cope with file infection, it is in no way comparable to what those products were doing before, the only thing that can deal with file infection right now is anti-virus technology... so we're back in the position of needing the anti-virus industry to provide all-in-one 'solutions' again and the anti-whatever-else industries will be left in the dust because AV technology is neither cheap nor easy to develop and the AV industry has an incredible headstart...

this is actually really sad for the people involved... we had all these new types of threats and whole new industries spring up to try and deal with them, and then someone goes and adds file infection to them and it all falls down... the only 2 ways this won't happen is if file infection doesn't catch on as a big trend in adware/spyware, or if the anti-virus industry sits on their hands and (intentionally or otherwise) gives the anti-adware/spyware guys a chance to catch up...

of course, you could (quite correctly) argue that they should have seen file infecting adware/spyware coming and developed their products with that in mind, but that doesn't make things any less sad for the employees (who generally don't have a huge say in the architecture of the product) of those companies...

[edited to fix totally borked link - thanks for pointing that out nick]

Sunday, June 12, 2005

HP and wishful thinking

so, if you read "HP Labs - Virus-safe computing : Experimental solution makes security a cinch" you will no doubt get the impression that HP has come up with the virus solution in the form reducing priviledges for applications...

if only things were so easy...

the first mistake seems to be blaming the operating system... they make a good argument for it but it ignores the decades old result that all general purpose computers are susceptible to virus infection... it's not the operating system that decides whether a computer is a general purpose computer or not, that's only part of it - the hardware plays a part too... take bootsector infectors, for example: they're operating system agnostic, they run straight off the bios (or even lower level hardware interfaces) without intervention from any operating system... clearly, making changes to the operating system alone will not stop a computer from being infectable...

let's humour them for a moment though... the premise of the idea seems to involve preventing applications from being able to access that which they have no need to access - one of the examples they use is that Solitaire should not be able to search your desktop to perform it's intended function... they hope to apply the principle of least priviledges (or principle of least authority, depending on who's talking - it's basically the same thing) to individual programs, which is a novel departure from normal operating system security that normally only defines priviledges for principals (users, local machine account, etc)...

let's consider this carefully - there are thousands, possibly hundreds of thousands of programs on today's computers (most of which the user isn't even aware of), how are we to define what priviledges each and every one of those programs is supposed to have? there are 4 options:
  1. the computer could figure it out by itself by examining the programs
  2. the user could define them all at the outset
  3. the user could answer yes/no to a variety of pop-up questions as new applications are run and the system needs to know what kinds of priviledges the new applications should have
  4. some authority (like HP perhaps?) could define the proper priviledges for all applications everywhere in a central database that and that information would then need to be communicated to systems that need it

(1) is not really an option... it runs afoul of a little thing called the halting problem (if we could solve the halting problem we could have perfect virus scanners and this blog probably wouldn't exist)... not only is it not generally possible for a program to determine what another program does by looking at the code, it would require that we examine the program in it's uninfected state first and that's not generally an option when we download infected materials...

if you think (2) seems like it would be an unreasonable burden on users you wouldn't be alone... in fact both (2) and (3) ask the user to decide what programs should be allowed to do and the user is almost certain to make mistakes - the more the user has to decide, the more mistakes are likely to be made, and those mistakes can lead to lost functionality ('i didn't know the program needed to do that'), more priviledges (and therefore more opportunity to spread infections) than necessary, or both... there could be thousands of decisions to make and users are just not likely to do that at the outset... the pop-up questions (now familiar from such things as software firewalls) require less from the user at any one given moment, but that doesn't address the problem of knowing the right answer to the popped up question... it's a problem in software firewalls too, but at least in software firewalls all you need to do is figure out if the application is supposed to use the network - this system would require much more indepth knowledge of each application...

and that leaves (4)... maybe a central authority could define the appropriate priviledges for all known software in existence, but i doubt it... and even if they could produce entries for all known software, such a huge database would invariably have the problem that all large databases have - incorrect data... not to mention that this would boil down to a central software registry such that people would only use the software found in the authority's database (for security reasons of course) which winds up being no different than the proposed system where people only use software that's been digitally signed and certified by a similar central authority...

and besides all that, your application priviledge system would then need a reliable, unspoofable means of identifying the program (filenames aren't enough, i can change filenames to whatever i like) - and not just the current version of the program but all versions of the program, for all programs... and it would have to recognize that some versions of a program would need different priviledges than other versions of the same program (due to differences in feature sets)...

i'm certain the folks at HP are not the first to think of defining priviledges on a per program, rather than per user basis... why weren't operating systems designed that way? it seems to me that the answer is obvious, because it's an unworkable system...

the above mentioned article states rather plainly that they want all the security without losing any of the features of existing software - but the features create complexity and, to quote bruce schneier, "complexity is the worst enemy of security"...

ultimately, reduced priviledges doesn't actually stop virus infection - what happens when a program that requires a great deal of priviledges becomes infected? it spreads the virus far and wide... reduced priviledges can't do any more on a per program basis than it can on a per user basis to stop viruses - that is, all it can really do is make the path of infection more convoluted until it gets to someone/something with lots of priviledges - in other words, all it can do is slow the viruses down...

the way i see it, that article is either a very poor representation of what the researchers at HP are really working on, or the researchers at HP have 'jumped the shark'...

Monday, May 16, 2005

microsoft antivirus: the next generation

by now you've probably heard that microsoft plans to get into the anti-virus industry (again) and has already entered the anti-spyware industry... they apparently are planning to release a complete security package for a fee (see Techdirt)...

now, Techdirt makes an interesting argument for why giving away the security package might be problematic for microsoft - that they might get accused of anti-trust violations with regard to the desktop security industry...

so it would seem that they can't not charge money for their product - but here's a different angle... a big part of the problem that their product will be addressing is the insecurity of their other products... the argument has been made that anti-virus companies are the ones behind the viruses and it's an easy argument to debunk (the industry is very competitive and the companies would use that information against their competitors if it were true), but when it comes to security exploits microsoft IS behind many of the vulnerabilities being exploited... they're basically charging you to protect you from the threats posed by their other software - which sounds an aweful lot like a protection racket to me...

worse still, however, is that with their complete security package they would have less motivation to actually fix the security problems in their other software... they could say that the threat posed by vulnerability X is mitigated by Microsoft Security Suite (tm), so the severity of the problem is less than critical so fixing it will be a lesser priority... they've been trying to address security for years now and so far it's been an abject failure - we have no greater confidence in the security of their software now than we did when they started... this could mark the end of their efforts to write more secure code - it could be the sign that they're giving up... writing software to protect people from exploits when you should be fixing the vulnerabilities certainly sounds like a cop-out to me...

so really, there doesn't seem to be any moral highground for microsoft in this venture - either they kill the desktop security software industry by giving their own product away for free (like they did to netscape), or they can charge money for their product and at best admit defeat at writing secure code or at worst be guilty of protection racketeering...

maybe they should just stay out of the security industry entirely... they've tried their hand at it before (msav) and that was an abject failure too...

Thursday, April 14, 2005

blogs are dangerous?... wtf?!

well, it looks like some tool over at the bbc thought it would be a good idea to report on how blogs were increasingly being used as a way to get malware onto the computers of people who visit those sites... what this person missed entirely was that blogs are just web pages and the threats they pose are exactly the same as for any other type of website... these are just web threats, web threats of one kind or another have been around for years, there's nothing new here and blogs don't pose any threats that are specific to just blogs...

what really struck me, though was how Viruslist.com picked up on the story and did nothing but parrot the message that blogs pose a threat... they could have set the record straight, they could have explained that these are just the same old threats in the same old medium (the world wide web), but apparently it's more important for them to use this opportunity to urge readers to use anti-virus software (and look at the pretty product placement at the bottom of the page)...

let's be perfectly clear here, web based security threats are not new and packaging them as though they're blog based security threats and are new effectively creates Fear, Uncertainty, and Doubt... the bbc news drone i can forgive for simply being ignorant, but Viruslist.com is part of kaspersky labs so they really should have known better...

Thursday, March 31, 2005

scanner decrepitude

a question that just keeps coming back is whether or not it's ok to use an old scanner if you apply the latest signature updates to it... this seems especially popular for NAV, and especially for NAV2002 (symantec take note, you were obviously doing something really well that year, maybe you should go back to that)...

the answer, of course, is no it's not ok... older scanning engines can't make proper, effective use of newer signatures so if you try this you won't be getting the full benefit you could be getting from an anti-virus product...

let's examine why... as new viruses are written, new techniques to confound anti-virus products are employed and so the anti-virus scanning engines need to be updated... it's not enough to just create new signatures, signatures only tell the scanner what to look for not how to look for it...

some people think this is fiction, but some people also believe the earth is flat... it's a demonstrable fact that over time older scanning technologies become obsolete and need to be replaced - the scanning engines in use before polymorphic viruses hit the scene were completely incapable of dealing with polymorphics, so too with macro viruses... those are the extreme examples; there are less critical circumstances where making modifications to the scanning technology is simply more ideal, where the existing technology could have done at least part of the job but to get optimal detection performance a change in the engine is needed...

of course they keep the engine backwards compatible so that it can use all (or at least most) of the old signatures, but there's no such thing as forwards compatibility - older scanning engines can't make proper use of new signatures written to take advantage of the capabilities of newer engines...

as such, you have to keep your scanner engines up to date as well as the signature databases in order to get the full protection the product is supposed to be capable of...

Monday, March 28, 2005

funny business

having one blog is good... having 2 blogs is bad... so says whatever universal process/concept/thing it is that makes me post entries to the wrong blog...

Saturday, March 26, 2005

let's be part of the problem

DVForge - Virus Prize 2005
what the hell are these people thinking, offering to pay people to write viruses for the mac and spread them in the wild? like virus writers don't already have enough motivation to write and spread viruses - especially when it comes to being the first one for a new platform or the first one in the wild for a new platform... those sorts of things already make them (in)famous...

these folks have clearly had a break our ethical reality - you do not need a proof of concept virus to prove viruses can spread on the mac - mac OS X is basically a form of unix and the very first viruses that fred cohen wrote when doing his seminal work on viruses back in the '80s worked on unix systems... and they did work, they spread on production systems...

come on, folks - all general pupose computing platforms are susceptible to viruses... all of them... it's been proven - and i don't mean the way you prove things in court with evidence, because there will always be new platforms for which there is no evidence yet... i mean it's been proven on paper with logic - the only facilities a virus needs are those that are already present in the definition of general purpose computer...

these people are not solving any real problem by offering a reward to virus writers for writing yet more viruses (and you know damn well there are going to be a lot more viruses written than rewards handed out)... all they are doing is making virus spreading (because you do need to spread your virus so that it makes it's way onto the target systems naturally in order to get the reward) seem more legitimate by wrapping it up like it's some sort of good deed that puts a set of misconceptions by uninformed people to bed... the fact is that they are soliciting behaviour that is illegal under canadian laws (criminal mischief pertaining to data) as well as laws in a variety of other countries that have unauthorized-access-related legislation...

john mcafee reputedly paid for virus collections and thus became a pariah in the anti-virus industry for supplying virus writers with financial motivation to write viruses... these people here are supplying financial motivation to write & spread viruses and that absolutely contributes to the problem, rather than the solution... these people are not interested in the greater good, they're only interested in making a name for themselves and they don't care how much damage they cause in the process...

update 5:30pm: well, that was quick... seems a lot of people contacted the guy in charge and convinced him to stop the contest... hurray!... now let's move on...

Sunday, March 13, 2005

rootkits for windows

this page tries to explain what rootkits are and the emerging threat they pose for the windows platform...

that's all well and good but there's something that just doesn't sit well with me... let's take a closer look:
The term rootkit is very old and is dated back to the days when UNIX ruled the world. Rootkits for the UNIX operating system were typically used to elevate the privileges of a user to the root level (=administrator). This explains the name of this category of tools.

i like this explanation... it's simple, it's consistent, it makes sense.... a rootkit is a tool used to gain root (*nix speak for administrator) privileges...
Rootkits for Windows work in a different way and are typically used to hide malicious software from for example an antivirus scanner. Rootkits are typically not malicious by themselves but are used for malicious purposes by viruses, worms, backdoors and spyware. A virus combined with a rootkit produces what was known as full stealth viruses in the MS-DOS environment.

now this is not so good... apparently rootkits for windows don't really have anything to do with giving a principle administrative privileges... it does a bunch of the other things it's unix counterpart does (i.e. it uses sophisticated techniques to hide) but no elevation of privilege...

does that make sense to you?

if i take the self-replication out of a virus, regardless of the fact that it can still do all the other things it used to be able to do, it is no longer a virus...

why then if i take the root granting functionality out of a rootkit does it remain a rootkit?

it doesn't seem to make a lot of sense, it is not logically consistent... by rights, what they're calling rootkits for windows should be called (in keeping with the spirit of the rootkit name) stealthkits...

now, this was an f-secure description so you may well be thinking that maybe those f-secure folks are a little confused... but no, if that were the case then why does sophos also seem to think that rootkits are more about hiding than they are about privilege elevation (which they don't even mention)... and then there's sysinternal's explanation of rootkits which also focuses on hiding rather than privilege elevation...

this seems like it might actually be industry wide, in which case i can just site here in awe and wonder because the industry appears to be from a completely different planet than you and me...

Wednesday, March 09, 2005

update from crazyworld

so guess what - Publishing exploit code ruled illegal in France...

guillermito will have to pay 5,000 euros if he publishes security vulnerabilities again... that's right, security research is basically illegal in france now so don't you be making fun of any of those french products that really, really suck...

but wait, there's more (there always is with this case)... if you read this article you'll see that tegam is defending it's actions by saying that guillermito's claims are false and his motives questionable... ooops! if his claims are false then the exploits he supposedly published must not actually exploit weaknesses in the product - in which case he didn't publish exploits, only defamatory material, in which case tegam's current claims against him are baseless... but since a court of law agreed with tegam's claims they must not be baseless, in which case the exploits are real, in which case his claims are true rather than false... you can't have your cake and eat it too, tegam...

i swear this company must be run by untrained monkeys...

legality of virus writing

someone at f-secure is clearly frustrated...

how many times have i seen someone say that virus writing should be illegal? i don't know, i've lost count it's been said so many times... i'm sure it probably seems entirely reasonable too... except wait, oh my goodness, it's not!...

huh? what am i talking about? i'm talking about the fact that enforcing such a law would be an unprecedented contravention of fundamental human rights...

let's face facts - abstracted from all other related activities, simply writing a virus is analogous to writing in a personal journal... it's a matter of freedom of thought and as such one of the most fundamental freedoms there is... it doesn't affect anyone until the writer tries to communicate his/her idea with others... if i write a virus and no one else ever sees it, have i contributed to the virus problem? if i utter a racial slur and no one's around to hear it, have i offended a minority group? no on both counts... what i do in the privacy of my own home or the privacy of my own computer should be of no concern to anyone else...

if you're going to outlaw something, outlaw something that actually causes a problem... outlaw spreading viruses, maybe even outlaw publishing viruses (see here for why full disclosure shouldn't be usable as a valid argument against such free speech limitations), but keep the thought police out of the picture...

that's important so i'll repeat it - outlawing virus writing would be a contravention of a person's freedom of thought, keep the thought police out of the picture...

Thursday, January 13, 2005

anti-virus developers, listen up!

take a look here... (Message-ID: wa6dnTcvF_JsK3jcRVn-qA@comcast.com if the link is broken)

this poor user has a virus stuck in his email and he can't figure out which message it is that he needs to delete... folks, do me a favour, when you detect a virus inside what you recognize to be an email envelope could you report not just the virus name and filename but also some kind of identifying information for the email in question (From:, To:, Subject:)?

i mean really - when your product detects a virus in an email database and it can't clean it, without this information you might as well be telling the user "there is a virus somewhere on your computer"... that's just too vague to be useful...

more from crazyworld

f-secure's blog had 2 good links showing both supposed sides of the guillermito vs. tegam issue...

tegam's press release described their displeasure at having their company violently depreciated (violently? ok, maybe thats just a translation thing, but they're obviously trying to appeal to our emotions rather than logic) for years and how a hardheaded search for vulnerabilities (what might otherwise be called persistence) is somehow wrong and unfair and that other companies don't get treated that way (even though they do - one need only look as far as invircible and it's creator zvi netiv for an example of that; martin overton's chekmate didn't escape notice either, and there are plenty more examples)...

guillermito's side seems reasonably well laid out and unmired by marketing double-talk, along with examples (scanned full page advertisements) of tegam claiming he was a terrorist and that the FBI was looking for him...

tegam's press release suggests they're upset at the negative publicity guillermito has caused them, that it's hurt their public image, and yet they are the ones making false terrorist accusations... their legal complaint against guillermito doesn't seem to contest the validity of his claims, it only charges that he reverse engineered their product in a way that was not legal... you'd think if guillermito's claims about their software was false and that it hurt their reputation so much that there would be some sort of charge of defamation or something... i suppose guillermito must have a strong defence against such a defamation charge (like his claims being the truth)...

tegam - stop being such petulant children and take responsibility for your failures...

Tuesday, January 11, 2005

and in crazyworld, people can go to jail for finding bugs... did i say crazyworld? i meant france...

on fark this would probably get the [Asinine] tag... if you haven't heard about guillermito vs. tegam then count yourself lucky for the bliss that is your ignorance...

long story short: tegam produced a very, very bad anti-virus product, called viguard, and made classic snake-oil claims... guillermito (ok, not his real name but i always go by the first name i know a person by) produces a report that documents how bad the anti-virus is, complete with exploits... tegam sues guillermito for counterfeiting/criminal copyright infringement... guillermito faces 4 months probation in france (kind of a long way to go to see your probation officer when you currently live in the states and are working at harvard - assuming probation works in a similar fashion there) and a hefty fine...

what is the moral of this story? do you think it's that you should keep your mouth shut when companies LIE to the public? do you think it's that france's justice system is borked?

no, the moral of this story is that tegam cannot silence criticism with lawyers - the publicity from this case will point everyone towards the truth - any possibility of them re-establishing secrecy for their product's problems is gone - the only purpose the lawsuit can serve is to punish someone for telling the truth - and on the internet things have a habit of never going away, ever...

the free market works best in the presence of an informed consumer... tegam may win in a court of law, but the court of public opinion is a different beast entirely... vote with your wallet, folks...