Matasano Chargen: Race To Zero: It’s Not A Contest, It’s A Protest
John Fsck
· 1 year ago
You have summed up this issue precisely. Blacklisting sucks. I have however seen some vendors come out and claim a stronger emphasis on heuristic based anti malware measures.
I think at present AV sucks but it's the best we have.
PaulM
· 1 year ago
We don't need another SYMC or MFE. For the past 5 years, they've acquired products outside of AV to insulate themselves from Microsoft and now from the seemingly inescapable realization that the *best* AV scanner has about a 60% prevention rate in production. They know the AV scanner as we know it today is doomed. They don't need to go to Defcon to learn that.
For that matter, neither do I, but I still think it's a cool competition.
tadda
· 1 year ago
Oh hell yes.
Please someone with more coding talent than I step up and shake up this space.
The success of botnets is proof that existing AV/IDS/IPS is not cutting the proverbial mustard.
2LoveBadAV
· 1 year ago
I left M$ and my MCSE, and went to *BSD, which I had been just reading about, when I auditted how bad AV had been, and is for M$. I tried some old bad stuff, went through, found a few attacks on AV, and how badly they install and leave you open. What really buzzed my prop head, was how flagrantly they leave bad heuristics, of allowing some rogue behavior to just pass. F this, I said! Happy to have moved on big time! Thank you AV, saved me a few years to get the right path!
AV is such a bad dependency upon M$. And I sure do NOT trust or use some other OSS AV either...
AV is such a gateway drug. "Our policy is that you must use a on our secure network of secure computers, protect by AV." GRR. Have it all ways, back stabbing, tape cutting sideways, B-crats!
Good website, nice FRESH perspectives.
Dave G.
· 1 year ago
@PaulM:
I meant in terms of success, not how successful their programs are. I'd love to be wrong, but I don't think it is going to be that interesting a competition. Not that it would change my stance, but I would love to see a contest where malware samples are sent to each AV vendor, and see who can bang out signatures the fastest.
John Fsck
· 1 year ago
Where this competition would be interesting is if it was a test of AV product / behavioural HIPS/AV behaviour at detecting unknown samples. The entire approach of "send us the sample that owned you, we will make sure it doesn't happen again, or at least until the sample is repacked, then send it to us again".
Dominic White
· 1 year ago
Was at a conference yesterday where Eugene Kasperskey spoke. He was adamant that blacklisting sucked and heuristics is the way forward. But I don't see it happening. All the AV vendors are now beating the heuristics drum, but the tech isn't there.
Paco
· 1 year ago
The malware/trojan/virus vs. AV battle is a cat-mouse game that's been going on for 20 years. Anyone who participates in this contest is only helping the AV vendors get rich by doing their monotonous "reverse engineering" dirty work for them. Just to prove to myself how absolutely shitty the *latest* McAfee is, I downloaded Exploit.Win32.WS_FTP from VX heavens, and ASpacked it. Try it for yourself, I won't belabor the point. It executes fine when ASPacked and is detected when not packed. I'm sure you can get similar results with UPX or any of the other 20+ binary packers available. Patching binaries to evade signature-based AV engines is not reverse engineering. This is elementary to any real-world malware coder. Hey! I have an idea for a REAL contest: Take all the AV software, have people write *brand new* trojans and malware, and see if the AV engines recognize any of them! I might actually watch that instead of the girls in the pool at the Hard Rock or the pr0n on my TV at Caesars.
CBCSearchEngine
· 1 year ago
You might be interested to know that CBC - Search Engine, a Canadian public radio show dealing with the impact of the internet on our daily lives, is taking a look at Defcon's Race to Zero this week.
We're talking to hacker and security expert extraordinaire Dan Kaminsky about the race: exploring why hackers are excited about it, and whether big business has anything to worry about. You can either check us out online at www.cbc.ca/searchengine or download the podcast by going to www.cbc.ca/podcasting and clicking on Search Engine.
PaulM
· 1 year ago
@ DaveG:
A contest to see which AV research team can bang out signatures fastest? That's even more useless. The problem with the AV industry is that they still use that model, and now the malware pushers can repack their binaries and re-obfuscate their JavaScript without rewriting a single line of code, FTW.
Maybe the competition should be to develop a tuning paradigm and a management interface for white-listing software. Then Dan Kaminsky's grandma (she'll already be there) can judge which one is easiest to use.
bw
· 1 year ago
av industry is afraid because they can only detect malware written by their own developers :), give them something more complex and they're getting mad as hell
im doing software protections and i had and still have so much troubles with av software (just because they can't bypass protection layer) i really wish there was a progress in av software
ac
· 1 year ago
What kind of progress from AV industry would stop user being socially engineered to download and run a trojan? I can't imagine such.
The real solution comes in three parts:
a) user education
b) program isolation/sandboxing by default if system is configured as the main box/os and not some virtual machine, AV vendors/Microsoft could then whitelist programs on the mainbox.
c) low level revamp. Move to newer OS architecture and also away from languages that were made with the assumption that the programmer knows both the language and the system as well as the language and system designer. Programmers don't need low level memory control outside kernel and in many cases not in the kernel either (see Singularity kernel). Write everything in high level until you face a piece where you absolutely need low level control.
ac
· 1 year ago
I'll elaborate on low level revamp: Besides just isolation for programs by default, there needs to be trust chain from the program to the network and so on. Absolutely no way for programs to come in and hook anything. Updates to programs need to begin by the program being updated initiating the update procedure - you wouldn't trust a random 3rd party to replace/update your brain would you? That's how things work today, anyone can come with privs and replace files etc.
jim
· 1 year ago
"We’re talking to hacker and security expert extraordinaire Dan Kaminsky"
HAHAHAHAHAHAHAHAHAHA
thats the funniest thing I have read all week. Maybe he should spend more time on his books and less time going for headlines ( see his new IDA book for proof of his general uselessness and lack of *real* talent ). Why do people still give this attention whore time?
International Oddities
· 4 months ago
I often don`t understand why people are making so many protests. Only a few times I saw they are actually right for their behavior but many more they are not. Plus they will suffer more if they want to be against everything the law will release.
All Comments
Blacklisting sucks. I have however seen some vendors come out and claim a stronger emphasis on heuristic based anti malware measures.
I think at present AV sucks but it's the best we have.
For that matter, neither do I, but I still think it's a cool competition.
Please someone with more coding talent than I step up and shake up this space.
The success of botnets is proof that existing AV/IDS/IPS is not cutting the proverbial mustard.
What really buzzed my prop head, was how flagrantly they leave bad heuristics, of allowing some rogue behavior to just pass. F this, I said!
Happy to have moved on big time! Thank you AV, saved me a few years to get the right path!
AV is such a bad dependency upon M$.
And I sure do NOT trust or use some other OSS AV either...
AV is such a gateway drug. "Our policy is that you must use a on our secure network of secure computers, protect by AV." GRR. Have it all ways, back stabbing, tape cutting sideways, B-crats!
Good website, nice FRESH perspectives.
I meant in terms of success, not how successful their programs are. I'd love to be wrong, but I don't think it is going to be that interesting a competition. Not that it would change my stance, but I would love to see a contest where malware samples are sent to each AV vendor, and see who can bang out signatures the fastest.
We're talking to hacker and security expert extraordinaire Dan Kaminsky about the race: exploring why hackers are excited about it, and whether big business has anything to worry about. You can either check us out online at www.cbc.ca/searchengine or download the podcast by going to www.cbc.ca/podcasting and clicking on Search Engine.
A contest to see which AV research team can bang out signatures fastest? That's even more useless. The problem with the AV industry is that they still use that model, and now the malware pushers can repack their binaries and re-obfuscate their JavaScript without rewriting a single line of code, FTW.
Maybe the competition should be to develop a tuning paradigm and a management interface for white-listing software. Then Dan Kaminsky's grandma (she'll already be there) can judge which one is easiest to use.
im doing software protections and i had and still have so much troubles with av software (just because they can't bypass protection layer) i really wish there was a progress in av software
The real solution comes in three parts:
a) user education
b) program isolation/sandboxing by default if system is configured as the main box/os and not some virtual machine, AV vendors/Microsoft could then whitelist programs on the mainbox.
c) low level revamp. Move to newer OS architecture and also away from languages that were made with the assumption that the programmer knows both the language and the system as well as the language and system designer. Programmers don't need low level memory control outside kernel and in many cases not in the kernel either (see Singularity kernel). Write everything in high level until you face a piece where you absolutely need low level control.
HAHAHAHAHAHAHAHAHAHA
thats the funniest thing I have read all week. Maybe he should spend more time on his books and less time going for headlines ( see his new IDA book for proof of his general uselessness and lack of *real* talent ). Why do people still give this attention whore time?
keep it up. check also www.garage-door-insulation.blogspot.com