LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

In defense of Ubuntu

Why the JMRI decision matters

LWN.net Weekly Edition for August 14, 2008

Details of the DNS flaw revealed

Udev rules and the management of the plumbing layer

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

unlikely

unlikely

Posted Apr 8, 2006 18:56 UTC (Sat) by copsewood (subscriber, #199)
In reply to: big deal by JoeBuck
Parent article: Crossplatform virus - the latest proof of concept

AV researchers obviously have an interest in seeing what black
hats can do before the latter release viruses into the wild.
However, cooperating beyond this level of passive observation,
e.g. by offering incentives of any kind to get blackhats to
write viruses would, if ever found out, result in much
too great a loss of reputation with their customers on
which the anti-virus business is based to be worth any
competitive advantage that might otherwise have resulted. Would
you ever buy anti-virus products from a company that you knew
had cooperated with black hats to the point of offering
incentives to them ? How could you trust such products not
to do bad and deceptive things on your system if the
ethics of the AV vendor had been compromised in this way ?

If your answers, like mine are no and you couldn't, then don't
imagine the legitimate AV community hasn't already thought
about this issue with the greatest of care.

(Log in to post comments)

unlikely

Posted Apr 9, 2006 23:06 UTC (Sun) by Tashlan (guest, #17277) [Link]

While not exactly what you are arguing, the AV vendors lack of response to Sony's Rootkit comes to mind.

Sony root kit and Back Orifice

Posted Apr 10, 2006 9:13 UTC (Mon) by copsewood (subscriber, #199) [Link]

They have enough trouble keeping up with malware supplied by cracker-culture conformant black hats. When people who look like white hats suddenly behaved like black hats this exploited a blind spot which got such malware under the AV radar for a while. This is not an entirely new problem for the AV community. What is the difference between remote control programs which are malware (e.g. Back Orifice) and those which are legitimate but very unobtrusive to the machine being remotely controlled in normal use ? I think the best answer I can give to this is based on the assumed intentions of the suppliers of such products. This criteria is also going to be very unsatisfactory from the POV of the AV community, who would naturally want to be able to use less subjective criteria, but what alternatives do they have ? This kind of problem is why Windows AV or Linux rootkit scanners can only ever be a small part of an overall security solution.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds
Powered by Rackspace Managed Hosting.