Kurt Wismer, a close (and well-informed) observer of the anti-malware industry, has been critical of the industry’s silence over an issue he flagged in a recent blog post.
The initial post was based on an Ars Technica article about the HBGary hack, and Kurt’s post centered on the ethical anomalies of anti-malware companies working with people with a reputation in full-on, full-disclosure stealthkit research.
A sizeable proportion of the wider community – even the wider security community – probably doesn’t have a problem with this, and even sees the AV Old Guard’s squeamishness about cosying up to (and even hiring) people with a track record in malware creation as a sign of inadequacy and incompetence. (Or even hypocrisy, given that quite a few people still believe that anti-virus companies write all – or even some of – the viruses. I looked at some of the reasoning behind that a few years ago here, by the way.
Kurt Wismer is rather more Old School, asserting that “AV companies contributing to the commercial success of malware writers … is not ok at all.” And that’s hard to argue with.
Silence is Golden?
However, in his more recent post, he sees something sinister in the fact that other AV vendors haven’t commented on these alliances, and one alliance in particular. He asks “does it mean that they can’t say anything because they’ve all got similar skeletons in their closet? or does it mean they’re just not interested in capitalizing on that sort of thing anymore?” His basic argument is that it’s the responsibility of individual AV companies to police the industry – i.e. each other – to hold them accountable for unethical behavior.
Well, I’m pretty Old School myself in that respect: I’m not keen on working with people who create malware for a living, either. What’s more, I’m certainly not against having someone enforcing ethical behavior among AV companies, though I’m not sure I want that someone to be me. After all, I nearly missed this issue altogether, being up to my neck in my own projects.
Still, there was a time when a company that employed a virus writer was likely to be sharply criticized by other companies. You could write that off as a ploy to gain competitive advantage, of course, but AV researchers were actually pretty obsessive, in general, about not creating new viruses, and they certainly haven’t warmed to the idea of writing their own non-replicating malware, either.
At that time, mind you, virus writing was primarily a hobbyist preoccupation, and when (some) virus authors were more concerned with demonstrating their programming skills and establishing bragging rights than with causing damage or making a profit, you could at least consider a reformed virus writer enough to offer them a job. Generally, though, that only happened on the fringes of the industry as mainstream vendors didn’t want to risk the bad karma.
Trust Me, I’m a Botherder
Nowadays, most malware activity is unambiguous criminality for profit. It’s unlikely that any mainstream company would be so impressed with the skills of a 21st century bot creator that it would offer them a job. How could you trust someone to behave ethically in the virus lab when they’d already proved willing to misuse whatever talent they had in pursuit of criminal activities like clickfraud or extortion through DDoS?
So where is the hue and cry over major AV companies cooperating in some sense with the alumni of rootkit.com? Times have changed, certainly, and not always for the better, but I don’t think anyone ever dished out silver stars to allow the industry to police itself. Despite my earlier comments, I don’t think it’s altogether bad that the temptation to self-glorify by pointing to the flaws in the competition has been diminished (in one respect, at any rate).
Self-Policing Or Mutual Self-Interest?
Kurt draws a parallel with AMTSO (the Anti-Malware Testing Standards Organization), but I think that’s misleading. AMTSO was conceived as a coalition between testers and vendors with the common aim of raising testing standards. However, I don’t think it was ever about self-policing. Rather, it was about testers holding vendors responsible for the quality of their products, and vendors holding testers responsible for the quality of their testing.
That means tension, yes, but also balance, and that has worked to the advantage of the consumer. If it split into separate tester and vendor pressure groups tomorrow (and stranger things have happened) that wouldn’t change. And I imagine that the groups would continue to cooperate in other contexts, as they did before AMTSO. But, it still wouldn’t be about self-policing, unless you consider anti-malware and anti-malware testing to be same industry. It’s more like walking a tightrope between divergent interests.