Friday, August 5, 2011

some questions being raised

this is really just to keep track of and highlight two recent articles i stumbled across that i think bear scrutiny.

the first is a post by alex eckelberry in which he describes an unfortunate trend in the industry whereby collaboration to get bad stuff shut down isn't happening, possibly because of business reasons (like maintaining competitive advantage). glad to see alex cares, but bigger companies seem more impersonal and less altruistic.

the second (hat tip to alex again for pointing it out) is an article by danny bradbury detailing how the people who now own lavasoft (the company responsible for the well known and widely popular adaware anti-malware tool) have a colourful history of deception and fraud. certainly a disturbing precedent that i hope more villainous members of the cybercrime underground don't start trying to emulate.

Thursday, March 31, 2011

Open letter to the Anti-Malware Industry

My name is Kurt Wismer. Some of you know me, or at least know of me. Many more, I suspect, do not.

I don't count myself amongst your ranks in the industry, but in the 21 years I've been absorbing and passing on knowledge of the anti-malware field I've had the privilege of learning from (and even debating with) some of your pioneers and brightest minds.

When I realized that a major anti-malware vendor had a significant relationship with a malware vendor I was understandably taken aback because it goes so completely against the grain of the core ethical principle of the Anti-Malware Community (or at least what I understood it to be after all these years) and the rationale used to extend it to the various prohibitions the Anti-Malware Community and Industry are known for.

That core ethical principle is that causing people to become afflicted with malware is wrong. It should come as a surprise to no one that causing harm with malware is fundamentally incompatible with the aims of anti-malware, and one might even liken it to an anti-malware version of the Hippocratic Oath.

The prohibition against malware creation was born of the understanding of two things. First, that a malware's creator bares at least partial responsibility for the harm that malware causes (something even some malware authors themselves have come to realize over the years). Second, that even when you share such malware only with people you trust it, can be exceptionally difficult to make sure you don't trust the wrong people. There have been multiple examples over the years of malware created for no malicious reason but which fell into the wrong hands and found it's way into the wild; and that's not including the people who share their "research" malware indiscriminately.

The famous rule about not hiring malware writers is a special case of the prohibition against rewarding malware writers. That prohibition came about as a result of the understanding that rewarding someone for doing something that you aren't allowed to do yourself, while not a violation of the letter of the principle you're supposed to be upholding, definitely is a violation of the spirit of that principle. By creating a reward for something that we know can cause harm, even with the best of intentions and the most stringent of care, we would still be part of the chain of causation that lead to that harm.

The reason I bring these up is because, under this rationale, I really don't see a substantial difference between partnering with a company that employs malware writers and employing them directly oneself. I'll leave speculation for how that could have been overlooked by members of the industry for another time, but I would like to invite members of the industry, the community, and frankly even people who simply don't want to become victims of malware and who happen to agree with me to express their support for the following principle by leaving a comment:
Partnering with a company that employs malware writers does not differ substantially from employing those malware writers oneself and as such should be avoided with equal care.

ethical conflict in the anti-malware domain

forgive my silence over the last little while. motivation to blog sometimes isn't easy to find. as time wears on, fewer and fewer things get under my skin enough to drive me to rant (is that what it means to mellow with age?). but since you're reading this i think you can guess what this post infers.

five years ago i wrote a post about what i perceived as an ethical conflict in the anti-'rootkit' domain. it detailed the actions of two of the most notorious names in stealthkit research, jamie butler and greg hoglund, and how they were profiting from making a particular niche of the malware problem more popular (and thus, inevitably a bigger problem).

one of the things i pointed out was that symantec was working with a start-up company (komoku) that had jamie butler (author of what was at one time one of the most widely deployed stealthkits around) as it's chief technology officer. i thought the fact that an anti-malware company was in bed with a company that hired such a high profile malware writer deserved at least a moment of reflection, considering the hard-line stance anti-malware companies take on hiring malware writers themselves. at the end of the day, mind you, that start-up was focused on prevention so maybe the argument could be made that mr. butler had or was trying to reform in some way. (mr. butler has since moved on to mandiant, along with his disciple {the FU2 to butler's FU} peter silberman)

when i read earlier this past week that another anti-malware company (mcafee) had been working with greg hoglund's company (hbgary) i thought it an interesting historical footnote but paid little attention to it beyond that (though, if i had remembered that mcafee had once been pointing fingers at rootkitDOTcom, maybe the hypocrisy would have stood out more). after all, little attention seemed to be paid to such connections five years ago so why should this time be any different? well, that was before i knew what hbgary was in to.

apparently, on top of the legitimate work that one can find out about by visiting the hbgary website (which of course i won't link to), it appears that hbgary also writes and sells malware for fairly large sums of money. the customers for their malware include the government/military but might not stop there. even if that set of customers does stop there, hbgary appears to be in the high-end commercial malware business.

so where does that leave mcafee? it leaves them in bed with commercial malware writers. while AV companies have been proclaiming for decades that they don't and won't hire malware writers, apparently they don't have to. they can simply partner with the boutique security shops that do. clearly they are not picking their business associates as carefully as they are their actual employees.

and then there's the claim that surfaces from time to time that AV companies won't make special provisions to keep malware deployed by the authorities from getting detected. what's the point of making such a claim if you're just going to turn around and do business with the company that may very well be making said malware?

how many other AV companies, besides mcafee, were or are in bed with hbgary? how many are in bed with companies LIKE hbgary? where's their ethical high horse when it comes to partnerships? why wasn't the "malware writers need not apply" policy updated when commercial malware became the norm and presented the loophole we see before us today?

some AV companies are rewarding malware writers financially. it may not be in the ways we traditionally thought of, but with the #2 company in the industry involved in this practice (and arguably the #1 company as well, depending on where you want to draw the line), the end result is AV companies contributing to the commercial success of malware writers, and that is not ok at all.

[republished from the anti-virus rants blog]