Monday, April 30, 2012

prediction vs. tempting fate

how many of you reading this remember conficker? i certainly remember it, but i have a long memory, especially when it comes to regrets. you may recall an apology i posted some years ago concerning the possibility that i might have made a small contribution to the feature-set of that malware by way of giving the bad guys ideas.

well, from where i sit, that may very well have happened again, only it wasn't me this time, it was an AV vendor. now you might expect that, as a result, said vendor may become much more scrupulous about censoring themselves. it's no easy task, let me tell you, but it's certainly something that some of you (and myself included) probably expect from the people who are supposed to be protecting us.

alternatively, you might expect just an apology, under the philosophy that it's better to ask forgiveness than permission. that would certainly be easier, although accepting responsibility for negative outcomes is not generally considered good for the public image of a company. as an individual, owning up to one's mistakes and accepting responsibility is considered a mark of maturity, but the rules for companies are unfortunately very different in this regard.

which brings us to the thing you might not have expected, but probably should have - bragging about it as though it were a "prediction":
that link, by the way, points to this story on informationweek.com which in turn points back to a post on the f-secure blog where it was suggested that if the people behind the flashback malware for the mac upgraded to unpatched java vulnerabilities (it had only been using exploits for old, already patched vulnerabilities before) they might affect a lot more people.

is that a prediction or an instruction? f-secure's blog, as you might be aware, is one of the most (perhaps the most) widely read blogs in the entire anti-malware field. it stands to reason that if the people behind flashback are reading any anti-malware blogs, that one is probably on their list. even if it isn't, that particular post was about their efforts and would most likely have been forwarded by someone who was aware of their work (just as, in a small software development company, every press release, news article, and TV spot that mentions your work gets sent to everyone in the company).

would they have upgraded to unpatched vulnerabilities without that suggestion being made? perhaps, perhaps not. we'll never know. do all malware profiteers who use exploits for patched vulnerabilities inevitably upgrade to ones for unpatched vulnerabilities? that's doubtful - exploits for unpatched vulnerabilities are much harder to come by than ones for vulnerabilities that have already been patched. the transition is anything but inevitable, so there exists the very real possibility that f-secure's "prediction" was more like a self-fulfilling prophesy.

but of course, it sounds better if you call it a prediction. it sounds like something that adds value to their voice (though they have plenty already without that) and so helps to build the brand.

it seems to me that openly predicting what the bad guys are going to do next, or speculating on what they could do better, only invites them to take your advice. you might then capitalize on that with liberal amounts of spin, but at the end of the day is giving them ideas really so much more benign than giving them code? don't you tempt fate either way?