Messages

1

Living Room / Re: Fabricated virus warnings.

« on: March 22, 2010, 04:43 PM »

I completely respect what you are saying, and in the beginning that was basically my position -- that these antivirus companies are only hurting themselves with these bullshit lazy false positives.

-mouser (March 22, 2010, 10:43 AM)

Are you sure that they're hurting themselves?
I'm not sure there's more people did not buy antivirus because they heard of false positives on UPX than people whom bought the antivirus software *because* of false positive (see "buy full version to fix the file"). What's about all the people whom do have common sense and don't run viruses, whom would quit paying for antivirus if it never finds anything? Think of all the regular people, friends and family, whom you helped set up their PC, are you so sure that they wouldn't choose one of the antiviruses that 'detects the virus' over those which 'fail to detect the virus'? That they would and could tell apart situation when antivirus A has false positive from situation when antivirus B has false negative? Surely, everyone understands that antivirus can fail to detect a virus - but are you sure everyone understand that antivirus can lie that it detected a virus? What's about enormous commercial success of fake/fraudulent antivirus software?

All in all, i'm not convinced that antivirus companies are hurting themselves with their false positives. Hurting others, sure, but themselves, i'd assume they would work to determine optimal false positive rate, for the best balance between negative publicity and the extra sales to scared people, and would stay close to this optimal false positive rate.

2

Living Room / Fabricated virus warnings.

« on: March 22, 2010, 10:33 AM »

Hmm,  I came across <a href="http://www.autohotke...orum/topic53129.html">interesting thread on AutoHotKey forums</a> related to donationcoder.
In my opinion, if you let bully push you around even a little, you're well on the road to complete submission, to handling over your hard earned lunch money to bully and doing a funny dance. Today you stop using UPX, tomorrow you stop using -O2 compiler flag in GCC, and the day after tomorrow you'll be buying code signing certificates coz any unsigned code gets flagged as malware. Then, to program you'll need a license and 'proofs' of being a good-behaving fella, 'just like for buying a gun'. All while big software vendors are whitelisted and could still do anything coz they can easily fight back with a libel lawsuit.

I'm entirely with AutoHotkey people on this issue. They have the courage to stand up for themselves.
On technical side - the notion that UPX is associated with malware is laughable. UPX - the original unmodified version that the good guys in question use - is an executable packer. Ironically, UPX is the most antivirus-friendly packer there is - it is free open source, thus unpacker can be incorporated into antivirus, and license even forbids packing binaries with a custom versions of UPX that would not unpack with the vanilla UPX - that's why good guys are using unmodified UPX. Whereas bad guys aren't going to use packer that is being flagged as malware, simple as that, so even if it was once true that some malware was being 'detected' by this "if it reads as UPX archive, call it malware" heuristics, this heuristic has immediately rendered itself obsolete for any new threats.

So what do you think. Should the independent developers quit using any free technology that became a target for automated libel, losing without any fight? Or should we try to stand for ourselves and hold the ground? The UPX issue may seem trivial - but it is just one step of retreat - there can be little doubt that antivirus vendors would come up with some other but similar 'heuristic' if their false positive rate is way below what they consider acceptable.

3

Living Room / Re: Antivirus companies support virus writers?

« on: March 05, 2010, 03:54 AM »

I'm not proposing to "secure things with CA" - but SSL certs (and code signing certs) need the CA system unless you want to rely on self-signed certs (and how do you verify the validity of those, then?).

-f0dder (March 04, 2010, 06:07 PM)

Ok, let me rephrase that. You're implicitly assuming that CAs provide authentication. <a href="http://www.schneier....impressive_phis.html">They don't</a>. If you ever read legal disclaimers made by CAs, you may notice that they are not claiming to provide authentication, but rather disclaiming this.
The whole situation is extremely ridiculous. The only real difference between CA-signed and self-signed certificate is that CA-signed certificate leaves you a few bucks poorer.
A bank could issue me with instructions for checking certificate signature. In person. (The bank, in fact, already gives me password generator device. What bank actually needs is good old simple shared secret cryptosystem - using this generator's code as shared secret. SSL doesn't support anything of that sort, and using SSL in this context is like hammering in screws because all we got is a hammer and a screw looks similar enough to a nail)

In case of SSL certificates, you know, there's no bigass warning for real spoof site. The only warning you have for real spoof is lack of tiny yellow lock icon.

-Dmytry (March 04, 2010, 05:53 AM)

Which is enough for power users (the ones that be keeping their software up todate, unlike regular users).

Don't you see what's ridiculous here? The only warning for real phishing victims is absence of yellow lock icon. Yet the browser displays extreme warnings for self signed certificates.

Authentication isn't the only thing SSL does, though, confidentality and tamper-resistance are just as important.

Indeed. What we have in practice is that a lot of sites which need confidentiality and tamper-resistance but not so much authentication are not using SSL at all because a browser displays scary warnings for self signed or expired certificate but no warnings what so ever for unsecured site.

The bigass warning is mostly shown to customers of legitimate businesses whom forgot to pay racket money (forgot to renew certificate).

-Dmytry (March 04, 2010, 05:53 AM)

And I do believe this is a problem. SSL certs and code signing certs are a bit on the expensive side. Code signing certs are slightly difficult to obtain, but that's mostly a positive thing, though.

There's been no known case of use of expired certificate by malicious party. Yearly expiration is only good for CA revenues, as means of protection it is laughable. On average, there will be 6 months from leak of current certificate to it's expiration; surely, the certificate should be revoked much sooner.

edit: to make it clearer.
Browser behaviour for increasing security level:
0: No SSL: absence of tiny yellow padlock icon [that's all the warning most phishing victims get].
1.0: SSL with no 'authentication' or expired certificate: extremely scary warnings [which no phishing victims ever see].
1.1: SSL, CA-issued certificate (very insecure authentication by CA): no warnings.[some phishers obtain CA-issued certificate]
End result: level 1, which most often is good enough against plausible attacks (sniffing) is unusable; a lot of sites which should use level 1 use level 0; a few use level 1.1, providing immense revenues for CAs.

4

Living Room / Re: Antivirus companies support virus writers?

« on: March 04, 2010, 05:53 AM »

Use firefox, keep it up to date, its usually fixed for exploits sooner than any use of exploit appears in the wild (which is also sooner than antivirus responds). Geez.

-Dmytry (March 04, 2010, 04:50 AM)

The browser is only one part of the exploit vector equation - you're forgetting flash and java, which aren't always fixed in a timely fashion.

Fixing security holes with a third party code blacklist for known uses of that security hole in the wild, that's just wrong. It's like you have a  digital lock on your door, with password code, and instead of updating lock's firmware you also install second lock that has camera that blocks entry for people whom look like known criminals.

-Dmytry (March 04, 2010, 04:50 AM)

A decent anti-malware product wouldn't just be blacklisting static code sequences, though, so this comparison doesn't really work. A better one would be a cop stopping a guy pulling a gun before he pulls the trigger.

Ditto by the way for digital certificates and 'certificate authorities'. Extortion scheme, pure and simple, not very effective for protection because it is possible to steal certificate, but extremely effective for having various people make billions by doing very little. Everyone who doesn't pay up is subject to plain libel delivered when user tries to run the application* The libel also devalues genuinely useful warnings.

-Dmytry (March 04, 2010, 05:07 AM)

Unfortunately there's too many CAs and some have been way too lax on security... but how do you propose to secure things without a CA?

-f0dder (March 04, 2010, 05:34 AM)

How do you propose to secure things with CA?
In case of SSL certificates, you know, there's no bigass warning for  real spoof site. The only warning you have for real spoof is lack of tiny yellow lock icon. The bigass warning is mostly shown to customers of legitimate businesses whom forgot to pay racket money (forgot to renew certificate).

5

Living Room / Re: Antivirus companies support virus writers?

« on: March 04, 2010, 05:07 AM »

Also as for whitelisting only known software - again, that's extortion. Norton's upcoming rating based whitelisting scheme in particular. If your software is not rated up, it's not whitelisted, and will not be rated up. How will you get it whitelisted, well, some paid certifications or other crap.

Ditto by the way for digital certificates and 'certificate authorities'. Extortion scheme, pure and simple, not very effective for protection because it is possible to steal certificate, but extremely effective for having various people make billions by doing very little. Everyone who doesn't pay up is subject to plain libel delivered when user tries to run the application* The libel also devalues genuinely useful warnings.
[edit: *or enter ssl site with self-signed certificate. Notably, there's no warning for non-SSL site at all. A somewhat more secure site generates scary warnings which less secure site doesn't! To make warnings go away you must regularly pay hefty sum of money to the big name racketeers to keep your cert up to date - else you lose certain small but substantial percentage of users. Paying money to racketeers is immoral; the money get used for harm. The only thing that certificate certifies is fact that you bulged in to the racket and you're paying ~$100 to racketeers each year; it does not verify that you're well intentioned, that your site was not hacked, and so on, it does not even verify that you are who you say you are].

6

Living Room / Re: Antivirus companies support virus writers?

« on: March 04, 2010, 04:50 AM »

"Drive-by" a really cute buzzword loved by paranoid people since it means WHATEVER amount of common sense you have, you can still be screwed! = BUY a sucurity package, you MUST. Almost entirely BS...

Scary in it's coincidence, but I almost got screwed by a drive-by this morning.  AVG saved me from it... so I don't know about that BS claim.  It was my first time running afoul of a virus in a long time, and I hate to think what would have happened had I browsed to the site on my desktop that doesn't have AV software installed...

-wraith808 (February 19, 2010, 12:11 PM)

Use firefox, keep it up to date, its usually fixed for exploits sooner than any use of exploit appears in the wild (which is also sooner than antivirus responds). Geez.
Fixing security holes with a third party code blacklist for known uses of that security hole in the wild, that's just wrong. It's like you have a  digital lock on your door, with password code, and instead of updating lock's firmware you also install second lock that has camera that blocks entry for people whom look like known criminals.

7

Living Room / Re: Antivirus companies support virus writers?

« on: February 19, 2010, 08:04 AM »

"Even Symantec has "Stops threats unrecognized by traditional antivirus techniques" in their feature list"
Even small brand rogue scareware has this sort of stuff in their feature list.
 Just what the hell is that supposed to mean? No it does not stop brand new malware, never did, and never will, because anyone who makes malware (except possibly the antivirus vendor) tests the malware against the antivirus software to make it pass. Heck, everyone who makes software has to do this because of false positives! If by a chance antivirus flags some new malware in development as malware - the chance exists for any new software - well, I suppose the author will simply swap a few functions around, fiddle with compiler's optimization options, maybe screw a little with UPX source code or not use UPX, and it'll pass.

From where i'm standing, we don't need separate piece of software to protect from the browser exploits and similar things; any decent browser gets patched before the
antivirus in any case. What do regular users really need antivirus software for is software piracy. Software piracy is not practical without having a good antivirus. (Ofc you can't pirate the antivirus itself because it phones home all the time to get updates). If there's someone who profits big time from piracy, that's not piratebay. That's our glorious 'good guys' the antivirus vendors.

"Are you referring to Software Restriction Policy on Windows Dymtry"
No i'm not referring to software restriction policy, or any implemented method, for that matter. I'm making an observation:
Almost none of the applications I or you use, except for a couple special utilities (file search tools, and such which layman user may not even have), read from or write to files and locations that aren't either
a: in software's own folder, or
b: are chosen by user through the file dialog AS OF NOW WHEN THERE IS NO SECURITY.
This is the un-enforced convention which large majority of good software nonetheless obeys.
Nobody's interested in enforcing this; they're interested in blacklisting, because blacklists have to be up to date (=subscription services), they're interested in whitelisting, because that will let them extort money out of software developers - those developers whom actually make anything of value - they're interested in showing a ton of scary popups, they're interested in  'heuristics' (tricks that aren't guaranteed to work, and do not work), because those generate a lot of false positives (extortion from honest developers again, though fortunately this is not so bad because you can always work-around false positive by fiddling with the code - same applies for true positives for real malware). But they're not interested in doing anything relatively quiet that'd work. Our only hope is that microsoft eventually sorts security out.

8

Living Room / Re: Antivirus companies support virus writers?

« on: February 18, 2010, 01:15 PM »

Well, i don't think antivirus software is a correct approach to the problem in first place. Blacklisting bad software or whitelisting good software is stupid (and whitelisting is just good ol racketeering as the developer has to pay to get whitelisted)

Think about an application like a web browser, and what sort of access it needs to your hard drive.
Basically, it has to be able to:
0: access network.
1: read and write inside it's own configuration folder
2: read the files you choose through system's standard file open dialog.
3: write to locations you choose through system's standard save dialog.
It is entirely possible to lock down file access *extremely* tight without *ever* nagging the user with extra dialog, relying on the dialogs which already are presented to the user.  But it has to be done on the system level.
Of course, there would still be privilege escalation exploits and such - but those have to be dealt with by *patching* not by blacklisting.

9

Living Room / Re: Antivirus companies support virus writers?

« on: February 18, 2010, 05:25 AM »

The OSX point is definitely a good one against the assertion of the original article. But there may be other reasons for that... The example of physical security companies doing bank robberies falls a lot more into my point about the tire slashing example though. It's a helluvalot harder and more risky to stage robberies to inflate the value of your security service (although I believe even this sort of thing *has* been done in the past!), than it is to anonymously pay cheap virus writers to iterate off of existing virus toolkits in a foreign country outside of our legal jurisdiction and unlikely to ever "whistle blow" to anyone relevant and within ear shot. It just involves a whole lot more headache than the digital equivalent. I bet I could go jump on a rent-a-coder type site right now and find someone willing to do this for a couple hundred bucks within 24 hours. Hehe.

- Oshyan

-JavaJones (February 12, 2010, 08:10 PM)

For OS X, imho you have all the same reasons which make malware writers not write many viruses for OS X, plus a few extra reasons such as higher risk to get caught, difficulty of hiring third world workforce for mac work (you can bet Apple would work hard to investigate where the viruses come from, should there suddenly be surge of OS X viruses along with marketing campaign for an antivirus). For the rentacoder remark - heh, i've been browsing rentacoder jobs once, and seen more than a few jobs almost certainly involving development of trojan software (private description, required ability to work with gmail, yahoo, facebook etc accounts, network programming experience, and you have to be located in former eastern Soviet block).

What actually prompted my quite angry blog post is an assertion by antivirus company spokeman that there's more virus software being written today than legitimate software.

For whenever it is happening  - look up rogue anti-virus software. It is happening all the time on small scale. The only question, is it happening on large scale. I think yes. I do not believe that a big company would take a lot of hit should they be discovered doing this. Companies routinely break the law in a very nasty way. Look up pfizer off label use. You can enter any other big pharmaceutical company instead of pfizer and see the very same thing. Willful law-breaking in a case where it could not be concealed, but the fine is smaller than revenue from the illegal operation. I do not think anything would happen to McAfee should anything like this be discovered. I guess a huge enough fraction of their users already believe firmly that they make viruses and this is the case of racketeering.
Think about it, back in the mafia days, would you *not* pay to 'security' firm if you know for sure they're the mafia whom are doing the very break-ins that you need protection from? In terms of cyber-crime, it's those mafia days today, with just about every normal user having experienced some form of cyber crime first hand.