Skip navigation.
Home

The Politics of Malware

Kurt Wismer comes up with the standard set of criticisms that we've received at Offensive Computing.

Kurt really touches on the heart of the issue when he says, "i suppose the argument could be made that public access helps those just breaking into the anti-malware market, but in reality there's all kinds malware already readily available to such people so they can build their malware databases organically... at the same time they can build their reputations and trust relationships with others in the anti-malware community so that by the time they need access to malware they can't easily find themselves they'll have people they can turn to..."

It is true, all you have to do is go look and you'll find all kinds of malware. What you won't find are collections of malware that are somewhat presorted for you. You won't find the analysis, and you won't find trends. This causes a duplication of effort that could better be spent on experimenting with new ideas. The old-guard of AV protection is just not working. There are many many smart people working on the issues, but in the end until people work together advancement cannot happen.

There are large barriers to starting malware research. We believe that those barriers are unnecessary for a largely innocuous threat. The real threat is the new malware that is not, and can not be detected. For the most part the current malware threat has been innocuous, and easily handled. What is the path forward when newer more creative threats emerge?

Response

Responses inline:

> "so, assuming they're legit (and that's quite the assumption to make where cult of the dead cow members are concerned "

Well first of all, members of Cult of the Dead Cow have made massive contributions to the field of security and in raising awareness. Many of them have gone on to be involved in highly positive impactful security companies. (at stake, zone labs, the list goes on)

> "have clearly not considered how realistic their expectations are about the supposed benefits OR the costs to society at large OR the lessons to be learned from other attempts to do roughly the same thing..."

We've done nothing but consider it, daily. We also don't worry about what others have done because as far as we have seen no one has done what we are doing. All we have seen in the past is big virus archives with nothing but the samples themselves, roughly organized.

> "the supposed benefits proponents of these kinds of projects usually trot out noble ideas like full disclosure, open source, and collaboration... if only things could work out the way they planned"

Actually its working out quite well. We have between 200,000 and 400,000 hits a month, tons of e-mail, collaborators from all over the security industry, and people actively collaborating on our site. We had around 2000 people attend our talk at defcon :)

> "... full disclosure, as I've stated before, only has a positive cost/benefit trade-off when the underlying problem can be fixed (which generally isn't the case with malware)"

Full disclosure = dead horse. Its pretty much accepted by the vast majority of top security professionals as the right way to go. Hence all the great talks at Blackhat. :)

> "finally, the vast majority of ordinary users will never directly participate in the collaboration or even know it exists and the established experts already have better (read: less naive/negligent) channels through which they can get the same materials..."

We are not a site for ordinary users and have never presented ourselves as such. We are a site for security professionals, analysts, etc. If what you say was true, then why are experts and antivirus companies collaborating with us and doing analysis and signatures based on samples we provide? Thats the point, there are no better channels. There are vetted forums and mailing lists which gather a subset of the samples and exclude many people who have a positive contribution to make. I know because I am on many of these vetted lists.

> "normal people do not use malware to help them defend their networks from malware - they use security software to defend their networks, security software written by other people, generally a relatively small group of people (small in comparison to the number of people who use it)... "

How do you define normal people in the security industry? I don't think there are any :) I've worked incident response for major (fortune 500 level) organizations for years. We VERY OFTEN needed samples of malware to develop snort signatures against targeted or massive attacks and to do damage assessments. (what was the impact of this malware being on our network) Having the sample to do analysis in order to be educated on what the appropriate defense is, is so common, such basic security 101 that it's almost not worth mentioning.

> "this isn't going to change - it will never be the case that the majority of the population will involve itself in the technical minutiae of synthesizing solutions to specific malware problems"

I agree with this, my mom doesn't need access to malware and she probably won't ever visit my site. If she did she would have to 1.) know what shes looking for by md5sum or name, 2.) download it, 3.) unzip it and figure out the unzip password and 4.) execute it. I'm not too worried about my mom getting past #1 :) However the 1000's of sysadmins and security people who are not on one of the extremely vetted lists do need access to it, I know because I was / am one of them.

> "... how does free public access to live malware actually help these people who are trying to defend their networks? what impact does having such access have on the quality or effectiveness of the software that they're actually using to defend their networks with when they aren't the ones making that software?"

I would ask this question of the several hundred thousand visitors we have, because it seems to have a positive impact on them. (public institutions, major well known corporations, antivirus companies, and security organizations are all involved with OC). In my case its great for testing our IDS/IPS solutions, antivirus software and other security measures. It also helps us configure those products to be most effective because we know in depth what the threats are.

> "clearly having such access does not help these users and has no impact on the quality of the tools they use - all that really matters is that the people who make the tools have access, and those people have access even without a project like offensive computing (otherwise how'd they get by up to now?)"

Thats not clear at all to many people. Who decides who is competent enough or a "true researcher". This sounds like political exclusionalry elitism to me, which is abhorred by true academics.

> "i suppose the argument could be made that public access helps those just breaking into the anti-malware market, but in reality there's all kinds malware already readily available to such people so they can build their malware databases organically... at the same time they can build their reputations and trust relationships with others in the anti-malware community so that by the time they need access to malware they can't easily find themselves they'll have people they can turn to..."

You just made all our points for us. We aren't doing anything any more evil than say google or any computer hooked straight to the internet. ANd we are providing a space for people to build reputations and trusts in the community, and its happening successfully all the time. So thanks, I couldn't have made this point any better myself.

> "the cost to society
it's important, whenever examining some proposal to improve security (as offensive computing does), to not blindly look only at the promise such a proposal has - you also have to look at how the system can be gamed... in this case it's fairly simple - it can be used to put malware in the hands of bad guys of course (and it's clear why that's bad) but it also can put malware in the hands of lazy/careless people, incompetents, looky-loos, and all manner of other folks who have no business handling malware - the second type of new age virus writer as described in sarah gordon's paper generic virus writer 2, the one you may have working in your IT department right now, is exactly this sort of person..."

Ill be honest, no malware user (i.e. nefarious blackhat person) is likely going to go download something that is catalogued, analyzed and fingerprinted from our site and use it. Thats just idiotic. If they do, they aren't much of a threat anyway. Lazy looky loo's as you call them infect their systems all day long without my help. Why visit offensive computing and go through all that trouble when they can just click on that viagra ad in their email?

> "all this boils down to more variants being made, more malware being 'deployed', and a facilitation of the collaboration going on between malware creators by doing away with the innovation bottleneck of conventional participatory collaboration and replacing it with a new and less constrained model..."

Malware creators have much more efficient, protected and anonymous ways of collaborating than this site. Offensive Computing offers malware creators essentially 0 value except for possibly inspiring them to see that security and analysis is much more fun / productive than malware creation. The community is alot friendlier too.

> "however, those projects aren't intended to help the good guys so it's really not comparable..."

Thanks again for the plug!

> i suppose i could also mention the sites for sharing exploit code... superficially they seem like they'd be comparable to this offensive computing project, however, as I've said before, exploit disclosure and malware disclosure are 2 very different things - the cost/benefit analysis of disclosing software defects and how they can be exploited comes up positive for us while the cost/benefit analysis of disclosing malware does not, so this too is really not
comparable...

Actually its exactly the same thing. Malware and exploits both:
compromise security, make a computer do something unintended/unauthorized. And open debate, discussion and collaboration on these issues is exactly what is needed and exactly what moves the security industry forward enough to keep up (barely) with the badguys. Malware exploits software defects and so the cost/benefit is the same. Its the same issue.

> "so then what project is comparable?" you might ask - well how about rootkitDOTcom? they make a form of malware freely available on that site with the stated goal of helping security researchers tackle the 'rootkit' (*cough* stealthkit *cough*) problem... so let's look at how well that's worked out so far - over the past couple of years the stealthkit problem has gotten worse, not better... they're more widely used, they're more widely sought after, and they're getting more and more sophisticated... on that basis alone it would seem like rootkitDOTcom is failing to achieve it's supposed goals..."

Look at the great tools that have come out as a result of the work of people at rootkit.com. System virginity verifier, rootkit revealer (im sure blacklight was influenced as well). It is because of that site that the good guys even KNOW about these issues which the blackhats have been taking advantage of silently for years. Finally now a light has been shed and the cockroaches are scurrying to find new hiding places. With the help of sites like rootkit.com and offensivecomputing these knew hiding places will be exposed as well.

> "but the rootkitDOTcom example goes beyond simple failure to do good, the most damning thing is how much BAD it's done... I've described in the past how one of the site's founders made a stealthkit available on the site and how that stealthkit (unaltered from the compiled binary available on the site) then went on to become one of the most widely deployed stealthkits in the world... it's not like this was malware that was captured in the wild and whose success in the wild when it was freely available on a rather high profile site could be explained away as coincidence... it's also not like this malware was self-replicating so it's success can't be blamed on that either... it started on that site and the bad guys used that site, took that stealthkit and used it against countless computer users..."

Unfortunate for the badguys to go off and use something everyone knows about and understands well and that is easily detected and dealt with. I'd much rather they do that than use the much nastier things you don't hear about.

"> there is no question that the bad guys can do this or that they have done this in the past or that they will do it again in the future - it's a forgone conclusion and offensive computing is falling right into their hands... they go on to say that"

Or they into ours

> "well, their intent may be good but the road to hell is paved with good intentions... they may not condone the spreading or propagation of viruses or worms but in practise i can guarantee you they'll wind up facilitating it... tens of thousands of live malware samples freely available is just too good a target... the av community knows full well (from experience) what can happen by sharing samples with just one wrong person - that's why they've developed the stringent policy they now follow... sharing malware with everyone will invariably lead to the bad guys misusing that malware and making the entire project part of the problem rather than part of the solution.."

And these AV designed solutions are failing and falling behind. A new paradigm is needed and thankfully lots of extremely talented and insightful people are working on this new paradigm.

V.

@valsmith:

@valsmith:
>"Responses inline:"

ugg, this is what i hate most about blog debates - trying to squeeze the same functionality out of the blog comment medium that one gets easily out of usenet...

>"Well first of all, members of Cult of the Dead Cow have made massive contributions to the field of security"

i guess that's supposed to make up for the contributions cDc has made to INSECURITY...

>"We've done nothing but consider it, daily. We also don't worry about what others have done because as far as we have seen no one has done what we are doing. All we have seen in the past is big virus archives with nothing but the samples themselves, roughly organized."

which were themselves a bad thing, which you hope to emulate in a more organized way... and since it wasn't the lack of organization that made them bad, adding it won't make something good...

>"Actually its working out quite well. We have between 200,000 and 400,000 hits a month, tons of e-mail, collaborators from all over the security industry, and people actively collaborating on our site. We had around 2000 people attend our talk at defcon :)"

very telling that you measure your success with a hit counter...

most people who are trying to make a difference would use examples of how they've made things better, not how popular they've become...

>"Full disclosure = dead horse. Its pretty much accepted by the vast majority of top security professionals as the right way to go. Hence all the great talks at Blackhat. :)"

full disclosure is warranted in some cases, but not all cases - a foolish consistency is the hobgoblin of little minds... while i suspect you may well be right about what many security professionals believe, that alone is not enough to say full disclosure of malware is the right way to go...

>"We are not a site for ordinary users and have never presented ourselves as such. We are a site for security professionals, analysts, etc. If what you say was true, then why are experts and antivirus companies collaborating with us and doing analysis and signatures based on samples we provide?"

interesting claim... please name the anti-virus companies that have contributed malware to offensive computing - or does collaboration in their case just mean leeching as i would have otherwise expected... i fully expect them to take malware from you, to explain malware to you, but not to give malware to you so if there are av companies doing that i'd like to know who...

>"How do you define normal people in the security industry? I don't think there are any :) I've worked incident response for major (fortune 500 level) organizations for years. We VERY OFTEN needed samples of malware to develop snort signatures against targeted or massive attacks and to do damage assessments. (what was the impact of this malware being on our network) Having the sample to do analysis in order to be educated on what the appropriate defense is, is so common, such basic security 101 that it's almost not worth mentioning."

and since nobody is going to write 60-70 snort signatures a day (to match the malware production rate) because it's just too many and it's redundant effort for each person to write their own signatures, a better idea would be to share snort signatures and analyses themselves rather than the malware... that, at least, wouldn't arm the bad guys...

>"I agree with this, my mom doesn't need access to malware and she probably won't ever visit my site. If she did she would have to 1.) know what shes looking for by md5sum or name, 2.) download it, 3.) unzip it and figure out the unzip password and 4.) execute it. I'm not too worried about my mom getting past #1 :) However the 1000's of sysadmins and security people who are not on one of the extremely vetted lists do need access to it, I know because I was / am one of them."

they {waves hands in air} 'need' it? no they don't... they just need the info, not the malware itself...

>"I would ask this question of the several hundred thousand visitors we have, because it seems to have a positive impact on them."

seems to have a positive impact? once again you are misusing popularity to mean something more than it is....

>"Thats not clear at all to many people. Who decides who is competent enough or a "true researcher". This sounds like political exclusionalry elitism to me, which is abhorred by true academics."

and completely necessary in any study of dangerous materials... i think you've been talking with the wrong sorts of academics, by the way... maybe try some who themselves deal with dangerous materials...

and for the record - the 'who decides' is the person who is doing the sharing... however, by making the malware available to everyone you don't even try to make such a decision, you willfully avoid the concept of safeguards (because following responsible handling guidelines gets in the way)...

>"You just made all our points for us. We aren't doing anything any more evil than say google or any computer hooked straight to the internet."

this is the 'other people litter so it's ok if we do too' argument... i believe i've just demonstrated what's wrong with it...

>"Ill be honest, no malware user (i.e. nefarious blackhat person) is likely going to go download something that is catalogued, analyzed and fingerprinted from our site and use it. Thats just idiotic. If they do, they aren't much of a threat anyway. Lazy looky loo's as you call them infect their systems all day long without my help. Why visit offensive computing and go through all that trouble when they can just click on that viagra ad in their email?"

you clearly do not understand the malware user because they are doing exactly what you call idiotic, and they do it in droves... you also clearly do not understand the end user because they are still getting hit with those things that *shouldn't* be a threat according to you...

>"Malware creators have much more efficient, protected and anonymous ways of collaborating than this site. Offensive Computing offers malware creators essentially 0 value except for possibly inspiring them to see that security and analysis is much more fun / productive than malware creation. The community is alot friendlier too."

how quaint - a member of a malware creation group who thinks malware creators are all one way (or maybe 2 ways if you acknowledge the script kiddies)... there is, however, a much broader spectrum than that...

some have better sites, some just have you... some have better sites and use you and any other malware trading site they can find just to have as many options as possible...

>"Actually its exactly the same thing. Malware and exploits both: compromise security, make a computer do something unintended/unauthorized. And open debate, discussion and collaboration on these issues is exactly what is needed and exactly what moves the security industry forward enough to keep up (barely) with the badguys. Malware exploits software defects and so the cost/benefit is the same. Its the same issue."

if that is your belief then i'll chock the rest of it up to your being misguided by faulty logic... viruses (as just one example) are well known to be inherent to the general purpose computing platform and therefore do not owe their existence to the presence of software defects...

i think there's good reason to believe most other malware categories are just as inherent to the general purpose computing platform - for example, what is really necessary for a computing platform to be able to support trojans? the ability to something undesirable (which is not to say that it's something special, just a function the user would rather not run at the moment) while not revealing it's true nature to the user (an opacity that is inherent to any sufficiently complex system and general purpose computers are more than sufficiently complex)...

some instances of malware may additionally exploit software defects, some instances may even rely on being able to do so, but in general malware does not exploit defects... as such, the disclosure of malware is not comparable to the disclosure of exploit code...

>"Look at the great tools that have come out as a result of the work of people at rootkit.com. System virginity verifier, rootkit revealer (im sure blacklight was influenced as well). It is because of that site that the good guys even KNOW about these issues which the blackhats have been taking advantage of silently for years. Finally now a light has been shed and the cockroaches are scurrying to find new hiding places. With the help of sites like rootkit.com and offensivecomputing these knew hiding places will be exposed as well."

false... what rootkitDOTcom is about is stealth, and stealth is something that has been around in the malware world for at least 20 years - ever since the first pc virus in the wild... the good guys have known about it for a long time and dealt with a variety of forms of it... rootkitDOTcom didn't make the problem better, it made it worse so that people who make security software eventually *had* to do something to address this particular form of stealth technology because it rose to the level of a significant threat...

>"Unfortunate for the badguys to go off and use something everyone knows about and understands well and that is easily detected and dealt with. I'd much rather they do that than use the much nastier things you don't hear about."

yeah, it's ever so unfortunate that they can do something like that and still make it work for them, still get the malware onto end user machines, still cause problems for the general computer using public...

things would work out so much better for them if they did things the way you think badguys do it - sure they wouldn't be able to do more than they can now, but at least they'd have the satisfaction of knowing they didn't do it the lazy way... we know how much they care about exhibiting a good work ethic...

>"Or they into ours"

don't kid yourself... it's not a question of if they're going to take advantage of offensive computing's malware repository, it's a question of when (and by now i wouldn't be surprised if they'd already started)...

>"And these AV designed solutions are failing and falling behind. A new paradigm is needed and thankfully lots of extremely talented and insightful people are working on this new paradigm."

a) that is a tired logical fallacy
b) the 'paradigm' isn't new, as i've said it's basically the same thing they do at rootkitDOTcom except with a broader scope
c) "new paradigm"? holy marketing bullshit batman...

Thanks!

The debate is very appreciated. We really need people like you to help point out how right we really are. Keep it going!

V.

Response

Thanks for taking the time to write these comments. That's too bad you don't find much value in the site.

As far as those who do, there are many people who contact us and thank us for running the site, providing samples to them, and overall improving the security landscape. We have links with many of the anti-virus companies, academic researchers, and countless others who are making a difference.

Each of them has expressed how the information here has helped them improve their products, their research, and the defense of their networks. Mentioning these organizations specifically by name would be entirely inappropriate.

While we encourage open collaboration, it's a difficult thing to engage with all at once. The most we can do is hope that the end result is that the products, research, and other contributions they are making will be for the better.

@chamuco

@chamuco
>"That's too bad you don't find much value in the site."

actually, that's not accurate... i think there's a lot of good going on here, i just think it's marred by allowing malware downloads by all comers... i would love to be able to link to some of the content here, i would probably even go so far as to add it to my blogroll, but i can't because of the malware...

>"We have links with many of the anti-virus companies, academic researchers, and countless others who are making a difference.

Each of them has expressed how the information here has helped them improve their products, their research, and the defense of their networks. Mentioning these organizations specifically by name would be entirely inappropriate."

i'm not asking for the names of vendors who say those things, only the ones who share malware... i think this is important information... i think it is information that, for example, caro members would like to know about - it would be highly relevant to them...

It's hard to say who uploads

It's hard to say who uploads what malware. Since we don't require any authentication for upload, it's hard to say what comes from who. Even if we did know we wouldn't tell you for the afore mentioned reasons.

To Kurt :)

Do you think your blog post is going to undermine the "goals" of OC ?

I have only one fact to point out - Nothing is going to stop malicious code from being generated, not me , not you ... not even OC, since we all know "thieves don't stop" ... if someone in a terrorist group dies, the next guy who is deputy to the leader will be sworn in as leader and they will keep doing what they do best ! [killing/bombing/you name it ;)]

What OC aims is to reduce the threat before it reaches the masses !

Let a laugh pass by ... phew !

Quoted from your lovely blog: i'm a computer scientist - i got my bsc in computer science from university of toronto in 2000...
SO YOU ARE A SELF-PROCLAIMED GENIUS ? okay ... okay

Quoted from your lovely blog again ?: ...well yeah.
i also gather prior knowledge of/interest in viruses can actually be a barrier to getting hired (av companies don't want to risk hiring someone who might have a virus writing past they aren't disclosing) so it's not something i've really investigated too much... i'm just a long time member of the anti-virus community...

1)So you indirectly project yourself as a virus coder.
When you gather info on viruses and know how it's done, why shouldn't the general public do the same ... They aren't any less human or curious than you are.

2)long time member of "WHAAAAAAAAAAAAT" ??

PS: Iam not trying to belittle you but your profile seems bit too exaggerated and exemplarily blown up to mind-blowing proportions.

C'ya ! ;)

--
Remember there is alwayz someone who knows more than us out there

@kishfellow >"Do you think

@kishfellow
>"Do you think your blog post is going to undermine the "goals" of OC ?"

no, my blog post was just me saying 'this is a bad idea, here's why'...

>"I have only one fact to point out - Nothing is going to stop malicious code from being generated, not me , not you "

i'm not suggesting anyone could stop malware from being generated, only that people who are supposed to be the good guys should take reasonable steps to avoid contributing to the malware problem by helping it fall into the wrong hands... i think individuals only sharing with other individuals they know they can trust (both in motives and competency) is a reasonable precautionary measure to take...

>"SO YOU ARE A SELF-PROCLAIMED GENIUS ? okay ... okay"

??? how do you read that into having a bsc in comp.sci.? having a degree doesn't make me a genius, it just makes me degreed...

>"So you indirectly project yourself as a virus coder."

no, i do not... i project myself as being someone who knows more about viruses than the average person and accept the fact that av vendors have no way to verify how i came by that knowledge...

>"PS: Iam not trying to belittle you but your profile seems bit too exaggerated and exemplarily blown up to mind-blowing proportions."

perhaps because you're reading more into it than is actually there...

Open Source Research

In reading the esteemed Mr. Wismer's blog posting, the responses, and the responses to the responses, it strikes me that a service like offensive computing is of immeasurable value to the computer community at large and that Mr. Wismer is throwing out the baby with the bathwater by not seeing this point.

Certainly, giving the "bad guys" access to malware has its inherent risks, but keeping that information in-house is a far more grevious offense. Take the example of major corporations that withhold vulnerability information until they are prepared to deal with it. During that time, the "bad guys" who are aware of this vulnerability are free to exploit it to their heart's content.

By shining light upon malware, the threat has its fangs removed. For that, I applaud the work done by valsmith and Danny. Were more individuals to take this approach, imagine how much safer we'd all be.

@afroninja

@afroninja
>"Certainly, giving the "bad guys" access to malware has its inherent risks, but keeping that information in-house is a far more grevious offense."

the info can be given out without giving out the malware...

>"Take the example of major corporations that withhold vulnerability information until they are prepared to deal with it. During that time, the "bad guys" who are aware of this vulnerability are free to exploit it to their heart's content."

once again, malware disclosure is not comparable to vulnerability disclosure... it's provably not comparable...

>"By shining light upon malware, the threat has its fangs removed. For that, I applaud the work done by valsmith and Danny. Were more individuals to take this approach, imagine how much safer we'd all be."

'shining a light upon malware' is a feel-good phrase with no concrete meaning... much of what goes on here is already going on inside the anti-malware industry with the exception of handing out malware samples to strangers, and it has been for many years... the one truly distinguishing feature is the handing out of malware samples - do you really think that part is going to make you safer?

Sadly ...

It is pure ignorance to presume that secrecy or selective disclosure is as beneficial as full disclosure. That is comparable to saying that doctors can be expected to cure a disease by being given a list of symptoms.

Just as researchers in the medical field must have samples of a bacteria or a virus to confirm that their cure is successful, so must researchers in the computer field must have copies of malicious software in order to formulate a remedy.

To clarify, "shining a light upon malware" means (in a very feel-good way) that by providing access to those individuals who are motivated to find solutions--either to protect the networks for which they are responsible, for the glory of creating a solution, or for corporate gain (as in the example of the many corporations who participate in the Offensive Computing effort)--the endless back and forth game of "bad guys" versus "good guys" has a fighting chance.

Furthermore, by providing access to this information outside of a closed system, motivation is provided to anti virus companies and other software vendors to provide solutions fast. I'm sure no computer vendor likes it when a "hobbyist" comes up with a solution to their vulnerability before they do. This kind of gently applied pressure helps provide that motivation they need.

It is ignorant elitism to presume that such systems must be kept closed for the sake of keeping malware some kind of secret. The end result of such elitist notions is that malware flourishes in the proverbial shadows (forgive the "non-concrete" description) and the "good guys" have one less place to go for help.

In your blog, you touched upon the ignorance of a software vendor saying that the virus problem was "solved", and rightfully so. That was, more than anything, a bid for their customers to begin to focus on a new product. You won't find such ignorant rabble here, as there is no corporate motivation.

So, in answer to your question, yes. I do believe that shining a light upon malware (which I hope I have explained to your understanding), does help keep me safer. Just as I have greater faith in the open source community than I do in the world of corporations, I have a greater faith in the individuals who are passionate about providing this resource than I do in closed systems whose primary interest is not as much solving the problem as selling a product.

@afroninja >"It is pure

@afroninja
>"It is pure ignorance to presume that secrecy or selective disclosure is as beneficial as full disclosure. That is comparable to saying that doctors can be expected to cure a disease by being given a list of symptoms."

interesting that you should mention doctors... do you think doctors should share pathogens with anyone who happens to ask for them? that is essentially what's going on here....

>"Just as researchers in the medical field must have samples of a bacteria or a virus to confirm that their cure is successful, so must researchers in the computer field must have copies of malicious software in order to formulate a remedy."

and just as researchers in the medical field must prove themselves trustworthy to receive such materials, so too should researchers in the computer field prove themselves trustworthy to receive malware samples...

>"To clarify, "shining a light upon malware" means (in a very feel-good way) that by providing access to those individuals who are motivated to find solutions--either to protect the networks for which they are responsible, for the glory of creating a solution, or for corporate gain (as in the example of the many corporations who participate in the Offensive Computing effort)--the endless back and forth game of "bad guys" versus "good guys" has a fighting chance."

has a fighting chance of what? you need to lose the rose-coloured glasses and realize that a) you're giving malware to more people than just those who are motivated to find solutions, and b) that the endless back and forth game is going to remain endless no matter what technological efforts you bring to bear on the problem...

>"Furthermore, by providing access to this information outside of a closed system, motivation is provided to anti virus companies and other software vendors to provide solutions fast. I'm sure no computer vendor likes it when a "hobbyist" comes up with a solution to their vulnerability before they do. This kind of gently applied pressure helps provide that motivation they need."

a) anti-virus vendors already have a strong motivation to provide fast solutions, it's called competition... they want the money they other guy is making and one of the ways to do that is to be better and faster than the other guy...
b) anti-virus vendors are not in the business of curing software vulnerabilities... if you think viruses owe their existence to a software vulnerability, then what is the vulnerability...

>"It is ignorant elitism to presume that such systems must be kept closed for the sake of keeping malware some kind of secret."

it is just plain ignorant to presume that dangerous materials are ok to hand out like candy...

>"So, in answer to your question, yes. I do believe that shining a light upon malware (which I hope I have explained to your understanding), does help keep me safer. Just as I have greater faith in the open source community than I do in the world of corporations, I have a greater faith in the individuals who are passionate about providing this resource than I do in closed systems whose primary interest is not as much solving the problem as selling a product."

then you are not only ignorant of malware theory but also of the realities of the anti-virus community as well... they are not all corporate, they don't all have products to sell - your anti-corporate zeal is misdirected... but hey, don't let me confuse you with facts...

Doctors don't need to

Doctors don't need to collect viruses because they come to them. This analogy extends to malware as well. We're just removing the step of having to setup a honeypot, collect a bunch of email, and harvest all the files.

To Kurt ;))

>>interesting that you should mention doctors... do you think doctors

>>should share pathogens with anyone who happens to ask for them? that

>>is essentially what's going on here....

You never get the point ... do u ?? That's the bloody problem.
Not all people will be as conservative and vetted as u want 'em to be.
In this world where open-source is growing, open minded people prevail, who want to be evangelistic, and not be like u.

Done with my post, don't reply with some crap again, better build a site incase you think your ideas are correct to prove it, or plz go away. Too much bandwidth wasted.

/Quit

--
Remember there is alwayz someone who knows more than us out there

Your Point

You articulate some interesting points, but I would submit to you that the main difference between what I will choose to call a "digital pathogen" and a biological pathogen is the risk of damage to human life. While I will agree that it would be risky to give a sample of Ebola Marburg to just anyone, the same risk to human life does not extend to digital pathogens.

You may well argue that digital pathogens have the potential to cause damage to human life by infecting computers that control critical systems, and you would be right. However, inept system administrators and poorly-written operating systems engender the same risk, so the point is mostly moot.

With my rose-colored glasses firmly in place, I must insist that such nervousness about "handing out dangerous materials like candy" is wildly misplaced. You seem to believe that giving people access to information is a bad thing, and I must insist that you are wrong. This is from the same school of thought that says open source software is inherently less secure because nefarious elements have access to the source code, yet that argument has yet to pan out. The largest difference of which I have been aware is that closed-source software typically (although not always) has a longer turnaround time in terms of providing a remedy to issues that arise.

I think that, if you take the time to investigate the good work done by those individuals who both run this site and those individuals and groups who help to support it, you'll find that your reservations are misplaced. I agree that there is inherent risk in making information available to just anyone, but there is also risk in concealing that information.

I guess the root of the issue is this. Since the inception of this site, are you able to prove a correlation between any perceived increase in virus/malware activity (actual activity, and not press coverage), and this site? If not, then it is obvious that your concerns are misplaced.