Main Area and Open Discussion > Living Room

Antivirus companies support virus writers?

<< < (9/9)

wraith808:
"Drive-by" a really cute buzzword loved by paranoid people since it means WHATEVER amount of common sense you have, you can still be screwed! = BUY a sucurity package, you MUST. Almost entirely BS...

--- End quote ---

Scary in it's coincidence, but I almost got screwed by a drive-by this morning.  AVG saved me from it... so I don't know about that BS claim.  It was my first time running afoul of a virus in a long time, and I hate to think what would have happened had I browsed to the site on my desktop that doesn't have AV software installed...
-wraith808 (February 19, 2010, 12:11 PM)
--- End quote ---
Use firefox, keep it up to date, its usually fixed for exploits sooner than any use of exploit appears in the wild (which is also sooner than antivirus responds). Geez.

-Dmytry (March 04, 2010, 04:50 AM)
--- End quote ---

I *am* using firefox, and it *is* up to date, and my OS is patched for every known exploit that I know of.  I think that's an assumption fail.

f0dder:
How do you propose to secure things with CA?-Dmytry (March 04, 2010, 05:53 AM)
--- End quote ---
I'm not proposing to "secure things with CA" - but SSL certs (and code signing certs) need the CA system unless you want to rely on self-signed certs (and how do you verify the validity of those, then?).

In case of SSL certificates, you know, there's no bigass warning for real spoof site. The only warning you have for real spoof is lack of tiny yellow lock icon.-Dmytry (March 04, 2010, 05:53 AM)
--- End quote ---
Which is enough for power users (the ones that be keeping their software up todate, unlike regular users). Authentication isn't the only thing SSL does, though, confidentality and tamper-resistance are just as important.

The bigass warning is mostly shown to customers of legitimate businesses whom forgot to pay racket money (forgot to renew certificate).-Dmytry (March 04, 2010, 05:53 AM)
--- End quote ---
And I do believe this is a problem. SSL certs and code signing certs are a bit on the expensive side. Code signing certs are slightly difficult to obtain, but that's mostly a positive thing, though.

Dmytry:
I'm not proposing to "secure things with CA" - but SSL certs (and code signing certs) need the CA system unless you want to rely on self-signed certs (and how do you verify the validity of those, then?).
-f0dder (March 04, 2010, 06:07 PM)
--- End quote ---
Ok, let me rephrase that. You're implicitly assuming that CAs provide authentication. <a href="http://www.schneier.com/blog/archives/2006/02/impressive_phis.html">They don't</a>. If you ever read legal disclaimers made by CAs, you may notice that they are not claiming to provide authentication, but rather disclaiming this.
The whole situation is extremely ridiculous. The only real difference between CA-signed and self-signed certificate is that CA-signed certificate leaves you a few bucks poorer.
A bank could issue me with instructions for checking certificate signature. In person. (The bank, in fact, already gives me password generator device. What bank actually needs is good old simple shared secret cryptosystem - using this generator's code as shared secret. SSL doesn't support anything of that sort, and using SSL in this context is like hammering in screws because all we got is a hammer and a screw looks similar enough to a nail)
In case of SSL certificates, you know, there's no bigass warning for real spoof site. The only warning you have for real spoof is lack of tiny yellow lock icon.-Dmytry (March 04, 2010, 05:53 AM)
--- End quote ---
Which is enough for power users (the ones that be keeping their software up todate, unlike regular users).

--- End quote ---
Don't you see what's ridiculous here? The only warning for real phishing victims is absence of yellow lock icon. Yet the browser displays extreme warnings for self signed certificates.
Authentication isn't the only thing SSL does, though, confidentality and tamper-resistance are just as important.

--- End quote ---
Indeed. What we have in practice is that a lot of sites which need confidentiality and tamper-resistance but not so much authentication are not using SSL at all because a browser displays scary warnings for self signed or expired certificate but no warnings what so ever for unsecured site.

The bigass warning is mostly shown to customers of legitimate businesses whom forgot to pay racket money (forgot to renew certificate).-Dmytry (March 04, 2010, 05:53 AM)
--- End quote ---
And I do believe this is a problem. SSL certs and code signing certs are a bit on the expensive side. Code signing certs are slightly difficult to obtain, but that's mostly a positive thing, though.

--- End quote ---
There's been no known case of use of expired certificate by malicious party. Yearly expiration is only good for CA revenues, as means of protection it is laughable. On average, there will be 6 months from leak of current certificate to it's expiration; surely, the certificate should be revoked much sooner.

edit: to make it clearer.
Browser behaviour for increasing security level:
0: No SSL: absence of tiny yellow padlock icon [that's all the warning most phishing victims get].
1.0: SSL with no 'authentication' or expired certificate: extremely scary warnings [which no phishing victims ever see].
1.1: SSL, CA-issued certificate (very insecure authentication by CA): no warnings.[some phishers obtain CA-issued certificate]
End result: level 1, which most often is good enough against plausible attacks (sniffing) is unusable; a lot of sites which should use level 1 use level 0; a few use level 1.1, providing immense revenues for CAs.

CodeTRUCKER:
Ok, it's been a few weeks since this thread was bumped, but I did have some thoughts on the original subject...

"The best defense is a good offense."

I do not know the original author of this wisdom, but it does apply here.  Also, I have no first-hand or second-hand knowledge of the business dealings of the A-V/Security software houses, but I am a businessman. 

If I were in the business of A-V products I would be a fool not to at least consider gaining the advantage of hiring virus authors to my R & D initiatives.  It does not necessarily follow that I *must* enhance my profits by adding threats to the "wilderness."  Just because a virus is authored does not require it to be released.  As a responsible businessman it would be incumbent on me and my principals to insure that any creations must be indefinitely quarantined.

Just out of curiosity, has anyone ever heard any of the A-V houses state unequivocally they do not employ the dark talents of virus hackers?  I have not.

Given the above, I am persuaded that malware authors must be included in the business models of *all* the A-V vendors as it would self-inflict an anemia within their R & D wings that would subordinate their developments to competitors if they did not, but my persuasions must halt on this point.  Like many things in business, morality and integrity can only be as strong in commerce as it is in the  characters of the corporate executives.

Navigation

[0] Message Index

[*] Previous page