Inside the Mind of a Virus Writer
sebFlyte writes "news.com.com is running a very interesting interview with 'Benny' (AKA Marek Strihavka), a former member of the famed 29A russian virus-writing group, about what drove the group among other things. He's now one of several ex-virus writers working for security companies."
He's got a point there, but still, that stinks of "create a problem, then sell the solution".
quidquid latine dictum sit altum videtur.
Q: How many viruses have you written?
A: A lot
Q: Why did you write them?
A: To learn and innovate, not to harm.
Q: Should virus writers like you work for AV companies?
A: Yes, of course. We know security the best.
Why is this an "interesting interview"? There is little to no content here. It's the same crap we've heard every virus writer say to every person who interviews them. While I agree that the best security people are probably the ones who used to break the system (aka virus writers and crackers) why does this need to be considered interesting news? I was more interested in the (FALSE) story about the fish from the tsunami.
It amazed me the way some people think. It sounds to me like he thinks he should be free to write virii because it's expression and protected under the first amendment? So by that analogy, someone who burns down a building shouoldn't be prosecuted because they are just expresssing themselves. Come on, him saying that he didn't distribute his "code" is complete crap. He wrote it and it got distributed. Anyone who thinks differently can buy some swampland from me at a steep price.
My sig of choice is Marlboro
There is something to be said for learning techniques for mitigation through hands-on practice. For example, I routinely attempt to crack my own web servers in an attempt to discover potential weaknesses. You can read white papers on XSS and privledge escalation and proper filesystem permissions all day, but you don't really ever learn the application until you try it for yourself.
If I were to hire another administrator to be in charge for securing my systems, I would want them to have that same internal drive and desire to explore the system, rather than having a checklist-mentality. Go down the list and assume the server is secure.
That said, I would _not_ hire someone who was actively involved in breaking into other people's systems. It's the mindset. They did it once, they can't do it appreciably any better than if they had probed their own systems, and they're likely to do it again. Part of being a professional means a mature respect for other people's beings.
So if this guy actually wrote viruses that were released, I would consider him probably a bad canidate. Otherwise, yeah, go for it. Good choice.
"Frank Abignail did steal millions of dollars. He was a criminal. This kid didn't do anything of the sort -- he simply wrote programs that exposed insecurities in operating systems."
And spam writers simply write spam that exposes weaknesses in baysian filters.
"I am of the mind that we absolutely need people like Benny -- someone MUST check the locks to ensure that we are indeed safe. If no-one is checking the locks, then we're just fooling ourselves that what we hold near and dear is safe."
I'll be over to check your locks. DON'T CALL THE POLICE!
Most viruses are designed to be friendly to the anti-virus industry.
There's always been an implicit synergy between the virus and anti-virus companies. They need each other. But now we know there's more than that.
"Who else (besides virus writers) should code antivirus programs? Who else has the experience and technical skills for fighting viruses?"
just because you can blow up a bridge doesn't mean you should be trusted to build one.
it takes a completely different skillset to defend against viruses than it does to write them.
doctors don't have to know how to create a disease in order to know how to cure it. i would trust a doctor to treat disease far more than a bioweapons engineer.
just like i don't trust a burglar to guard a bank vault, i don't trust a virus writer to write antivirus software.
THAT would tell you whether he was as good as he claimed.Yep. And until I see him releasing code to fix exploitable holes in Open Source, he's still just another kiddie. Again, from the article: Pattern matching is nothing. And that's all that anti-virus software is.
Rather than spending his massive talent on pattern matching viruses, why hasn't he come out with something to prevent viruses in the first place?
Anti-virus systems are all re-active, not pro-active.
Re-active is easy.
Pro-active is hard.
This story is junk. Some "journalist" saw that a "criminal" had been hired by a "security" company and decided that it would be a good story.