Thursday, May 04, 2006

FUD from bruce schneier

well, bruce schneier is at it again, spreading FUD about the anti-virus industry colluding with sony-bmg to prevent detection of their stealthkit (what passes for a rootkit these days)... and his kangaroo court readership buy it hook line and sinker, thinking the 'evidence' posted in the original thread was conclusive...

clearly people haven't actually read the original thead for meaning so i'm going to have to dissect the so-called evidence for them...
  • f-secure, who's blacklight product was already detecting xcp (the sony/bmg stealthkit), admitted that they didn't immediately alert the public to the (low risk) threat because they knew the script kiddies would jump on the news of a large population of pre-compromized systems (and when the news came out that's exactly what happened) and were in talks with sony when mark russinovich broken the story... it's never been disclosed what those talks were about and it may seem like fun to assume the worst (collusion) but that's just the same paranoia that makes people want to believe anti-virus companies hire virus writers... there are far more reasonable possibilities, such as f-secure following responsible disclosure by trying to convince sony-bmg/first4internet to close the vulnerability in their stealthkit or possibly remove it altogether before releasing information about how the vulnerability could be exploited was released to the public (and scores of script kiddies)...
  • norman's sandbox technology was also able to detect xcp before the news broke...
  • symantec was implicated in the collusion through a claim that they had approved xcp but that claim was later explicitly corrected (link points to the exact google cache page pointed to in the aforementioned original thread)...
  • multiple av companies downplayed the threat that xcp posed... again, one could be a conspiracy nut and believe it's because they were in on it, or one could be reasonable and recognize that it's quite normal for people to downplay the significance of their own failures...
  • first4internet (the people who made xcp in the first place) apparently claimed to have worked with the big anti-virus companies to make sure their software was safe, but names were ultimately not given, and first4internet had their own arses to protect so there was plenty of motivation to try to fabricate vague legitimizing circumstances...
the so-called 'evidence' of collusion on the part of the anti-virus companies to avoid detecting xcp, to allow users' machines to become compromized undetectable, is evidence of nothing more than a peculiar desire not to trust anti-virus companies... there is no real evidence of collusion and bruce schneier's continued insistence that there is is nothing more than unmitigated FUD...

bruce schneier who claims to like the "be part of the solution, not part of the problem" metric is sowing fear, uncertainty, and doubt about an entire class of security company when he says things like:
You might have expected your antivirus software to detect Sony's rootkit. After all, that's why you bought it. But initially, the security programs sold by Symantec and others did not detect it, because Sony had asked them not to. You might have thought that the software you bought was working for you, but you would have been wrong.
and that can lead to people away from the only real tools there are for dealing with malware... that's certainly seems more like being part of the problem than part of the solution if you ask me...

of course, when he also says:
McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device.
he demonstrates that he's provably ignorant of the malware domain... under current parlance, the cloaking device IS the rootkit... under the more classical definition xcp was never a rootkit at all...

the security guru has a blind spot and that's malware, but people accept his word on the subject as security gospel - unable to apply basic logic and available facts to recognize when he's in error, unable to think for themselves... so who owns your opinions? you or some guy whose supposed to know about these things?

0 comments: