Saturday, April 12, 2008

The Most Stupid Security News Ever

Seems like the BBC reporters have a shortage of subjects to write about these days… Maybe the next winter we will also be able to read about how many snowflakes fell during Christmas all over the world or something like that (which BTW, would still be way more interesting that the news quoted above).

I remember that some time ago, a group of researchers used automatic generators to create a few tens of thousands of variants of some malware, just to do some testing of A/V engines. And I remember how all the A/V people were complaining how irresponsible that was bla bla bla, as now they would have to work after hours to fight all this new malware. What a BS!

For any given class of a bug (think: exploits), or a file infection method (think: viruses), or a system compromise technique (think: rootkits, stealth malware), one can come up with pretty much infinite number of examples that would be exploiting the specific bug, the specific file infection method, or the specific system compromise technique. One virus would display you a “Hello, you’re being 0wned, sir.” Message, while the other one would just flash your keyboard leds. Sure, two different beings, but if exploiting the same mechanisms, also the protection against them is the same.

But, I know, it looks so cool in the news to read: “The number of viruses, worms and trojans in circulation has topped the one million mark”. It’s most definitely a good way to scare all the housewives and make them to rush to the computer shop at the coroner to buy the brand new A/V product that already can detect 99.9% out of all those scary things out there.

10 comments:

kurt wismer said...

indeed, they all exploit the same mechanisms so the cure is the same...

limit sharing (complete isolationism), or limit the generality of interpretation (fixed first order functionality)...

then you won't have to worry about those pesky viruses anymore - or getting anything really useful done with a computer...

Ryan Russell said...

I'm sure I must be misunderstanding. "Infectability" isn't a specific problem you can solve once with a patch. It's a feature of general-purpose reprogrammable computers...

Timov said...

You are absolutely right about how these marketing guys get their mediocre security products sold by millions. Use terrorists. If terrorists are busy, use next best threat.

Straight from the pages of Naomi Klein's "Shock doctrine" ;)

Anonymous said...

Joasiu it's not a news, it's just marketing :), Regards

Joanna Rutkowska said...

@kurt wismer: You're close, even though I sense sarcasm in your comment;) IMO security should be provided by ISOLATION, not by BLACKLISTING, at least in our current times. Next 50 years, we will *maybe* have strict formal code generators/verifiers that would allow us to have at least implementation-bug-free and backdoor-free code.

@Ryan Russell: I'm glad you realize you're misunderstanding ;)

Anonymous said...

I do not understand why the most learned professionals in this field use their valuable time in the spotlight to denigrate others rather than to share new and important discoveries. At what level do you become just another finger-pointer instead of rising above the petty bickering. I am truly disappointed as this type of behavior detracts from your impressive and serious body of work.
luke.

kurt wismer said...

@joanna:
my comment was pure sarcasm...

isolation must be complete in order to prevent viruses, and complete isolation precludes division of labour and collaboration... without these things computers would be only slightly more useful than pocket calculators...

oh, and ryan has precisely no misunderstanding... he is exactly correct...

Joanna Rutkowska said...

@kurt wismer: I see you have a different definition of what an isolation is. I refer to isloation mechanisms that we all know from OSes for years, e.g. address space isolation, usermode/kernelmode isloation, user accounts, etc. Having all those methods complete, doesn't imply they are useless.

kurt wismer said...

@joanna:
it's not a matter of definition, it's a matter of degree... the OS mechanisms that place limits on sharing (some of the ones you mention have nothing to do with sharing) were never intended to provide complete isolation because the people making the OSes realize that some sharing is required in order for people to work together with computers...

further, those OS mechanisms have never been sufficient to stop viruses precisely because they don't provide complete isolation..

Anonymous said...

Fear sells.