| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <401E49BC.1651.15361E97@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: MyDoom.b samples taken down Kurt Weiske <kweiske@...aan.org> wrote: > > I know most of you will not believe this because you so stupid you > > already believe that live virus samples are _just_ information and > > therefore _should_ be subject to "full disclosure" (this is a special > > form of ignorance that very little empirical evidence seems able to > > budge > > Before I make a judgement here, are you against publishing the virus in > executable form that could be accidentally launched, or against > publishing the virus in any form? Both. The problem is "publishing". Because most users insist of relying on known virus scanning methods, rather than any of the sensible approaches to "protecting" their computers, publishing virus code in any form simply leads to more "new" viruses. Most viruses are relatively minor "copy and tweak" variations on already existing ones, thus explaining a large chunk of whatever effectiveness you see in current heuristic and "generic" detection methods in use in popular known virus scanners, however, those approaches are far from perfect. Thus, making more virus code available today will result in more new (i.e. "not initially detected") viruses which means "the virus problem" will continue. If most folk actually used sensible code integrity mechanisms, I would not especially care about publication, as it would be irrelevant to the effect _on the user_. (I would probably prefer that such code not be published as why focus on such negative things when there is so much good software development talent could be turned to, but those are different issues rising from different dynamics, and one we do not face today...) > If the latter, then perhaps you might find other mailing lists with a > more sympathetic audience. If the former, after consideration, I agree. > Handling a live virus is akin to handling their real-world counterparts, > and having some protection against accidentally launching it on a > production system is a Good Thing. I've renamed mine to a non-executable > extension, and they're off my production boxes. You are clearly not aware that simply renaming to a "non-executable extension" may not be enough... And, as for your suggestion that virus code "should" be acceptable to this list, I'll point out there has been nothing new in viruses since Fred Cohen wrote his thesis. All actual "developments" we have seen implemented in viruses were foreshadowed in his theoretical work. Also, as a general pedagogical position, it is better to understand the underlying theory and methods of a discipline rather than a few of its specifics. We don't teach engineers how to build bridges by just sending them to study the Sydney Harbour Bridge, the Golden Gate Bridge and Tower Bridge. We teach them the theories underlying the choice of design types, materials and processes and so on necessary to be able to design _any_ safe bridge. Thus, knowledge of the specific is not that critical... Well, unless your bridge falls down or you face an actual outbreak of the virus, and then we tend to rely on the acknowledged experts to provide the analysis and solution. So, in a world where folk insist on relying on theoretically and practically inadequate measures to "protect" them from viruses, and where new viruses are thus trivially derived from existing ones, I strongly object to all publication of detailed virus code. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists