Thursday, March 31, 2011

Open letter to the Anti-Malware Industry

My name is Kurt Wismer. Some of you know me, or at least know of me. Many more, I suspect, do not.

I don't count myself amongst your ranks in the industry, but in the 21 years I've been absorbing and passing on knowledge of the anti-malware field I've had the privilege of learning from (and even debating with) some of your pioneers and brightest minds.

When I realized that a major anti-malware vendor had a significant relationship with a malware vendor I was understandably taken aback because it goes so completely against the grain of the core ethical principle of the Anti-Malware Community (or at least what I understood it to be after all these years) and the rationale used to extend it to the various prohibitions the Anti-Malware Community and Industry are known for.

That core ethical principle is that causing people to become afflicted with malware is wrong. It should come as a surprise to no one that causing harm with malware is fundamentally incompatible with the aims of anti-malware, and one might even liken it to an anti-malware version of the Hippocratic Oath.

The prohibition against malware creation was born of the understanding of two things. First, that a malware's creator bares at least partial responsibility for the harm that malware causes (something even some malware authors themselves have come to realize over the years). Second, that even when you share such malware only with people you trust it, can be exceptionally difficult to make sure you don't trust the wrong people. There have been multiple examples over the years of malware created for no malicious reason but which fell into the wrong hands and found it's way into the wild; and that's not including the people who share their "research" malware indiscriminately.

The famous rule about not hiring malware writers is a special case of the prohibition against rewarding malware writers. That prohibition came about as a result of the understanding that rewarding someone for doing something that you aren't allowed to do yourself, while not a violation of the letter of the principle you're supposed to be upholding, definitely is a violation of the spirit of that principle. By creating a reward for something that we know can cause harm, even with the best of intentions and the most stringent of care, we would still be part of the chain of causation that lead to that harm.

The reason I bring these up is because, under this rationale, I really don't see a substantial difference between partnering with a company that employs malware writers and employing them directly oneself. I'll leave speculation for how that could have been overlooked by members of the industry for another time, but I would like to invite members of the industry, the community, and frankly even people who simply don't want to become victims of malware and who happen to agree with me to express their support for the following principle by leaving a comment:
Partnering with a company that employs malware writers does not differ substantially from employing those malware writers oneself and as such should be avoided with equal care.

1 comment:

  1. Totally agree with the point Kurt!
    if your going to be anything of an effective anti-malware vendor for your own sake and embarrassments!!!!!!!

    DON'T be the only logical blatant "DONTDO" and employ the very people that have taken a proactive effort to spy, sneak, disrupt and counter evaluable efforts you have been dedicating the majority of your precious time too!!!

    i mean honestly if your that stupid to employ Malware creators to fill the gap you hadn't... by being ineffective to develop your own antimalware product....
    your looking at 2 answers to this example i like to call a total Wannabe wa*ker

    either your just an idot, lazy, learn the hard way pro or .......
    you should take the anti off of your efforts and tell your audience your'll provide consistant long lasting compramise to the system your efforts protect...and to expect breach after breach of everything you paid not to have compromised.

    and to the malware writers with a big smile on my face I wish you all the very worst of what life has to offer

    apologies for any grammar / typo type text

    (working on it!)

    Phil Payne