Thursday, August 17, 2006

surprise! offensive computing is, well, offensive

from a website i can't link to for reasons detailed here:
Offensive Computing was formed by Valsmith and Danny Quist as a resource for the computer security community. The primary emphasis here is on malware collections and analysis for the purpose of improving people's abilities to defend their networks. There is a noticeable lack of public sources of malware and malware analysis available. Those that were available were either for sale or limited to a small number of users. We provide resources such as live copies of malicious software, md5sums to search on and analysis of the malware to the general public.
so, assuming they're legit (and that's quite the assumption to make where cult of the dead cow members are concerned - think "back orifice", the RAT [silent installs for remote control software is not a good thing to do, boys and girls] they created that basically put them on the map years ago) we have yet another group of people who think sharing malware publicly is good and have clearly not considered how realistic their expectations are about the supposed benefits OR the costs to society at large OR the lessons to be learned from other attempts to do roughly the same thing...

the supposed benefits
proponents of these kinds of projects usually trot out noble ideas like full disclosure, open source, and collaboration... if only things could work out the way they planned... full disclosure, as i've stated before, only has a positive cost/benefit trade-off when the underlying problem can be fixed (which generally isn't the case with malware)... openness is great in some contexts, but not when dealing with dangerous materials, that much should be patently obvious... finally, the vast majority of ordinary users will never directly participate in the collaboration or even know it exists and the established experts already have better (read: less naive/negligent) channels through which they can get the same materials...

normal people do not use malware to help them defend their networks from malware - they use security software to defend their networks, security software written by other people, generally a relatively small group of people (small in comparison to the number of people who use it)... this isn't going to change - it will never be the case that the magority of the population will involve itself in the technical minutiae of synthesizing solutions to specific malware problems... how does free public access to live malware actually help these people who are trying to defend their networks? what impact does having such access have on the quality or effectiveness of the software that they're actually using to defend their networks with when they aren't the ones making that software?

clearly having such access does not help these users and has no impact on the quality of the tools they use - all that really matters is that the people who make the tools have access, and those people have access even without a project like offensive computing (otherwise how'd they get by up to now?)... the people actually building the tools have samples and they have contacts with other people that have samples and that they share a mutual trust with - that is how it works in the anti-virus community and that is how it should work in the wider anti-malware industry (if it doesn't, ask your anti-malware provider why they don't co-operate with other anti-malware providers - if they give you bullshit about competition on an issue of public safety like this, well it's just that, bullshit - there are plenty of other ways to compete that don't compromise or otherwise handicap the process of providing the public at large with the tools necessary to keep them safe - vote with your wallet)...

i suppose the argument could be made that public access helps those just breaking into the anti-malware market, but in reality there's all kinds malware already readily available to such people so they can build their malware databases organically... at the same time they can build their reputations and trust relationships with others in the anti-malware community so that by the time they need access to malware they can't easily find themselves they'll have people they can turn to...

that just leaves the people who can't or won't build those trust relationships as being the real beneficiaries of a project like this...

the cost to society
it's important, whenever examining some proposal to improve security (as offensive computing does), to not blindly look only at the promise such a proposal has - you also have to look at how the system can be gamed... in this case it's fairly simple - it can be used to put malware in the hands of bad guys of course (and it's clear why that's bad) but it also can put malware in the hands of lazy/careless people, incompetents, looky-loos, and all manner of other folks who have no business handling malware - the second type of new age virus writer as described in sarah gordon's paper generic virus writer 2, the one you may have working in your IT department right now, is exactly this sort of person...

does putting malware into the hands of these people benefit security? are we (or our computers, data, or privacy) safer by giving malware to the people most likely to do something stupid or malicious with it? of course not...

and these are exactly the same sort of people most likely to seek out and use such a project - they're interested in the samples, this is a cheap and easy way to get them, and they don't have to sacrifice anything they actually value (like principles about responsible malware handling)...

all this boils down to more variants being made, more malware being 'deployed', and a facilitation of the collaboration going on between malware creators by doing away with the innovation bottleneck of conventional participatory collaboration and replacing it with a new and less constrained model...

lessons that could have been learned
i suppose i could mention that the pro-malware community in general and the vx in particular have a long history of making their 'wares freely (as in speech, and often as in beer) available to the public with everything from bbses to cd compilations to usnet newsgroups to irc chatrooms to web pages... they do it not because it helps the good guys (in fact the good guys often help to get malware trading sites shut down) but because it helps other bad guys like themselves... however, those projects aren't intended to help the good guys so it's really not comparable...

i suppose i could also mention the sites for sharing exploit code... superficially they seem like they'd be comparable to this offensive computing project, however, as i've said before, exploit disclosure and malware disclosure are 2 very different things - the cost/benefit analysis of disclosing software defects and how they can be exploited comes up positive for us while the cost/benefit analysis of disclosing malware does not, so this too is really not comparable...

"so then what project is comparable?" you might ask - well how about rootkitDOTcom? they make a form of malware freely available on that site with the stated goal of helping security researchers tackle the 'rootkit' (*cough* stealthkit *cough*) problem... so let's look at how well that's worked out so far - over the past couple of years the stealthkit problem has gotten worse, not better... they're more widely used, they're more widely sought after, and they're getting more and more sophisticated... on that basis alone it would seem like rootkitDOTcom is failing to acheive it's supposed goals...

but the rootkitDOTcom example goes beyond simple failure to do good, the most damning thing is how much BAD it's done... i've described in the past how one of the site's founders made a stealthkit available on the site and how that stealthkit (unaltered from the compiled binary available on the site) then went on to become one of the most widely deployed stealthkits in the world... it's not like this was malware that was captured in the wild and whose success in the wild when it was freely available on a rather high profile site could be explained away as coincidence... it's also not like this malware was self-replicating so it's success can't be blamed on that either... it started on that site and the bad guys used that site, took that stealthkit and used it against countless computer users...

there is no question that the bad guys can do this or that they have done this in the past or that they will do it again in the future - it's a forgone conclusion and offensive computing is falling right into their hands... they go on to say that:
This site does NOT encourage or condone the spreading or propagation of viruses or worms. Thats exactly what this site is designed to help defend against.

The intent of providing live copies of malware is so that the community can collaborate on identifying and analyzing them in order to develop snort signatures and other defenses.
well, their intent may be good but the road to hell is paved with good intentions... they may not condone the spreading or propagation of viruses or worms but in practise i can guarantee you they'll wind up facilitating it... tens of thousands of live malware samples freely available is just too good a target... the av community knows full well (from experience) what can happen by sharing samples with just one wrong person - that's why they've developed the stringent policy they now follow... sharing malware with everyone will invariably lead to the bad guys misusing that malware and making the entire project part of the problem rather than part of the solution...

0 comments: