Matasano Chargen - Latest Comments in Race To Zero: It’s Not A Contest, It’s A Protest

Re: Race To Zero: It’s Not A Contest, It’s A Protest

insulation — Sat, 25 Jul 2009 06:00:40 -0000

nice share
keep it up. check also www.garage-door-insulation.blogspot.com

Re: Race To Zero: It’s Not A Contest, It’s A Protest

International Oddities — Sun, 19 Jul 2009 16:26:26 -0000

I often don`t understand why people are making so many protests. Only a few times I saw they are actually right for their behavior but many more they are not. Plus they will suffer more if they want to be against everything the law will release.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

jim — Sat, 17 May 2008 16:38:58 -0000

"We’re talking to hacker and security expert extraordinaire Dan Kaminsky"

HAHAHAHAHAHAHAHAHAHA

thats the funniest thing I have read all week. Maybe he should spend more time on his books and less time going for headlines ( see his new IDA book for proof of his general uselessness and lack of *real* talent ). Why do people still give this attention whore time?

Re: Race To Zero: It’s Not A Contest, It’s A Protest

ac — Sat, 17 May 2008 04:29:18 -0000

I'll elaborate on low level revamp: Besides just isolation for programs by default, there needs to be trust chain from the program to the network and so on. Absolutely no way for programs to come in and hook anything. Updates to programs need to begin by the program being updated initiating the update procedure - you wouldn't trust a random 3rd party to replace/update your brain would you? That's how things work today, anyone can come with privs and replace files etc.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

ac — Sat, 17 May 2008 04:22:16 -0000

What kind of progress from AV industry would stop user being socially engineered to download and run a trojan? I can't imagine such.

The real solution comes in three parts:

a) user education

b) program isolation/sandboxing by default if system is configured as the main box/os and not some virtual machine, AV vendors/Microsoft could then whitelist programs on the mainbox.

c) low level revamp. Move to newer OS architecture and also away from languages that were made with the assumption that the programmer knows both the language and the system as well as the language and system designer. Programmers don't need low level memory control outside kernel and in many cases not in the kernel either (see Singularity kernel). Write everything in high level until you face a piece where you absolutely need low level control.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

bw — Sat, 10 May 2008 09:36:22 -0000

av industry is afraid because they can only detect malware written by their own developers :), give them something more complex and they're getting mad as hell

im doing software protections and i had and still have so much troubles with av software (just because they can't bypass protection layer) i really wish there was a progress in av software

Re: Race To Zero: It’s Not A Contest, It’s A Protest

PaulM — Fri, 09 May 2008 14:31:10 -0000

@ DaveG:

A contest to see which AV research team can bang out signatures fastest? That's even more useless. The problem with the AV industry is that they still use that model, and now the malware pushers can repack their binaries and re-obfuscate their JavaScript without rewriting a single line of code, FTW.

Maybe the competition should be to develop a tuning paradigm and a management interface for white-listing software. Then Dan Kaminsky's grandma (she'll already be there) can judge which one is easiest to use.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

CBCSearchEngine — Thu, 08 May 2008 11:24:13 -0000

You might be interested to know that CBC - Search Engine, a Canadian public radio show dealing with the impact of the internet on our daily lives, is taking a look at Defcon's Race to Zero this week.

We're talking to hacker and security expert extraordinaire Dan Kaminsky about the race: exploring why hackers are excited about it, and whether big business has anything to worry about. You can either check us out online at www.cbc.ca/searchengine or download the podcast by going to www.cbc.ca/podcasting and clicking on Search Engine.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

Paco — Wed, 07 May 2008 16:16:49 -0000

The malware/trojan/virus vs. AV battle is a cat-mouse game that's been going on for 20 years. Anyone who participates in this contest is only helping the AV vendors get rich by doing their monotonous "reverse engineering" dirty work for them. Just to prove to myself how absolutely shitty the *latest* McAfee is, I downloaded Exploit.Win32.WS_FTP from VX heavens, and ASpacked it. Try it for yourself, I won't belabor the point. It executes fine when ASPacked and is detected when not packed. I'm sure you can get similar results with UPX or any of the other 20+ binary packers available. Patching binaries to evade signature-based AV engines is not reverse engineering. This is elementary to any real-world malware coder. Hey! I have an idea for a REAL contest: Take all the AV software, have people write *brand new* trojans and malware, and see if the AV engines recognize any of them! I might actually watch that instead of the girls in the pool at the Hard Rock or the pr0n on my TV at Caesars.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

Dominic White — Wed, 07 May 2008 01:20:23 -0000

Was at a conference yesterday where Eugene Kasperskey spoke. He was adamant that blacklisting sucked and heuristics is the way forward. But I don't see it happening. All the AV vendors are now beating the heuristics drum, but the tech isn't there.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

John Fsck — Tue, 06 May 2008 19:37:46 -0000

Where this competition would be interesting is if it was a test of AV product / behavioural HIPS/AV behaviour at detecting unknown samples. The entire approach of "send us the sample that owned you, we will make sure it doesn't happen again, or at least until the sample is repacked, then send it to us again".

Re: Race To Zero: It’s Not A Contest, It’s A Protest

Dave G. — Tue, 06 May 2008 14:50:59 -0000

@PaulM:

I meant in terms of success, not how successful their programs are. I'd love to be wrong, but I don't think it is going to be that interesting a competition. Not that it would change my stance, but I would love to see a contest where malware samples are sent to each AV vendor, and see who can bang out signatures the fastest.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

2LoveBadAV — Tue, 06 May 2008 14:17:36 -0000

I left M$ and my MCSE, and went to *BSD, which I had been just reading about, when I auditted how bad AV had been, and is for M$. I tried some old bad stuff, went through, found a few attacks on AV, and how badly they install and leave you open.
What really buzzed my prop head, was how flagrantly they leave bad heuristics, of allowing some rogue behavior to just pass. F this, I said!
Happy to have moved on big time! Thank you AV, saved me a few years to get the right path!

AV is such a bad dependency upon M$.
And I sure do NOT trust or use some other OSS AV either...

AV is such a gateway drug. "Our policy is that you must use a on our secure network of secure computers, protect by AV." GRR. Have it all ways, back stabbing, tape cutting sideways, B-crats!

Good website, nice FRESH perspectives.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

tadda — Tue, 06 May 2008 09:54:34 -0000

Oh hell yes.

Please someone with more coding talent than I step up and shake up this space.

The success of botnets is proof that existing AV/IDS/IPS is not cutting the proverbial mustard.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

PaulM — Mon, 05 May 2008 21:29:34 -0000

We don't need another SYMC or MFE. For the past 5 years, they've acquired products outside of AV to insulate themselves from Microsoft and now from the seemingly inescapable realization that the *best* AV scanner has about a 60% prevention rate in production. They know the AV scanner as we know it today is doomed. They don't need to go to Defcon to learn that.

For that matter, neither do I, but I still think it's a cool competition.

Re: Race To Zero: It’s Not A Contest, It’s A Protest

John Fsck — Mon, 05 May 2008 21:26:54 -0000

You have summed up this issue precisely.
Blacklisting sucks. I have however seen some vendors come out and claim a stronger emphasis on heuristic based anti malware measures.

I think at present AV sucks but it's the best we have.