Slashdot Mirror
McAfee Blames Open Source for Botnets
v3xt0r writes "It seems that 'the Open Source Development Model' is to be blamed for the recent increase in botnet development. 'We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development,' the spokesman for McAfee says. Why not just blame the IRC Protocol? Or simply admit that Proprietary vendors cannot keep pace with the Open Source Model?"
So, here is an article simply claiming that some "malicious developers" have found a way to collaborate using open-source tools...
Wow, I've seen a lot of commercial vendors doing that in the recent years also - maybe they're all suspect.
But what model would you blame for the hundreds of PC viruses that devestated home and corporate computers in the 90's up to today? I think the exploits they relied upon were simple coding flaws and insecure type checking or buffer overflows that wer simply poor coding kept as a secret.
So, in light of what causes the malware, would I rather the code be fully disclosed or instead guess that there's probably no major exploit possible? I'd probably go with the former considering the sheer number of viruses based on the latter and the fact that it's the exploits based on proprietary code that often do the most severe damage to society.
I would like to ask McAfee what they would think if a competitor found a virus and figured out how to fix it but couldn't tell McAfee that information because it would be considered disclosure. That would be the real irony here. Sites that host viruses and describe/publish them are often very useful sources for people looking to rid them from their computers or even how to avoid exploits in the future.
This article is entitled "Hackers Learn from Open Source" but they only learn as much as the researchers and patchers do. I would rather the community be progressing towards solid impenetrable code than have guarded secrets that keep everyone under a thin veil of security. Because if those secrets are ever discovered by the wrong people, we will not know about them and we'll essentially be caught with our pants down. I'd rather have every programmer know the pitfalls of coding than to have thousands of applications deployed world wide all waiting for one hacker to stumble upon a secret.
You really have to question McAfee's motives here in their Sage magazine
My work here is dung.
...it was the conspiracy to create insecure operating systems.
The actual blame rests on Charles Babbage, and that "computer" idea of his. But to be fair, he might never have done that if it hadn't been for those damned ancient Greeks with their abacus...
Slashdot Burying Stories About Slashdot Media Owned
Say there is an vulnerability, only known to black hats which is being exploited. Someone finds it, reports it to the vendor. The vendor sits on it for months while a massive botnet spams the hell out of us using it.
Isn't it better to release info so people can do something about it? Network admins can use it to help block the attacks, or disable the vulnerable software. Users can stop using it. And people can ever make their own patches, or use the shared knowledge to look for similar flaws in other software.
We have seen this happen. Can anyone provide a good alternative, because McAfee certainly can't?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Evil hackers learn programming techniques in schools and colleges!
Why not just blame the IRC Protocol?
Because McAfee has an unterior motive and wants to discredit the competition.
With there be anything else?
Basically it seems to me that McAffee _isn't_ complaining about OSS, and explicitly says they don't. There are two _very_ distinct and unrelated parts of the article:
1. The open source part. Which doesn't contain any kind of anti-OSS slant. It just says that people now have a lot of F/OSS tools to manage their files and whatnot.
2. The part about full disclosure. Where they basically whine that they'd like to have what we all call "security by obscurity." Basically McAffee would like a world where researchers keep a lot more stuff secret, because supposedly being public about that helps evil hackers. Which is as stupid as it gets, yes, but it also has nothing to do with OSS at this point.
So why the fanboy slant in the summary?
A polar bear is a cartesian bear after a coordinate transform.
Amusingly, you could read this article as an endorsement of open source software and methods- as in, "Open source methods and tools are so awesome that crackers and blackhats have switched to using them and now run rings around the antivirus corporations who don't."
Enquiring minds want to know!
Car theft is the fault of metal-workers. After all, if powered centre-punches weren't available due to metal workers using them to mark drilling spots on metal then car thieves wouldn't use them to break car windows.
Forget the fact that a powered centre punch is just an inanimate tool and that it's purely the malicious intent of car thieves that means they're used for illegal reasons, someone must be to blame. So let's lynch metal-workers for causing car theft!!
Hmmmmmm..... Deep fried and look like Squirrel.
Dude, they aren't even talking about bugs in OSS. They're saying that OSS development tools (like CVS, Eclipse, etc.) exist, and that that very existence means that OSS shares blame for all the malware that's out. Because, you know, if it weren't for OSS these coders couldn't get development tools.
Pardon, that last sentence was too sarcastic -- I have to go puke now.
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
All code SHOULD be signed, with l33t ASCII art!
My headline is as credible as theirs. If they want to start flinging mud we can fling it back. Outsourcing virus writers to help perpetuate sales of Anti Virus software is good for business has a large return on investment and a practical way of making sure that the next incremental release is purchased by all your customers.
Do not look at laser with remaining good eye.
..... who said that that OSX is the next Windows:
t ePapers/NewAppleofMalwaresEye.pdf
http://download.nai.com/products/mcafee-avert/Whi
So take anything they say with a grain of salt.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
"Same class?" Meaning as slow to start, buggy, and bloated as McAfee products? Open-source developers should by thanking that guy for the compliment.
-b,
Given that the summary itself says that this is not about the open-source development model, I've got to conclude that the headline is a troll. You can apply the full-disclosure model of security notification to any software, open or closed.
This is about whether the finders of security vulnerabilities give the vendor a grace period to fix the problem before disclosing the vulnerability to the general public. It has nothing to do with open source.
Causation can cause correlation
"You know what really grinds my gears?..."
Linux is evil, Windows is good, proprietary blah blah blah. The biggest shock to me is that anyone has the balls to point to open source and say "YOUR development model is responsible for this mess," especially considering the way Windows ships as default (make all initial users members of Administrators). I'm still reeling from hearing McAfee (or someone officially affiliated) say something to the effect of "Your open code and development is killing us!"
You have to consider the fact that some tools, while they can aid those with ill will, serve mostly to benefit. Take nmap, for example. Some script kiddie can use it to scope out their target. On the other hand, a tech can use it to check for open ports on their own systems to prevent those kinds of things. These are useful tools, but because of their power, they could also potentially be used as bad devices in the wrong hands. You could say the same thing for guns. Innocent people are killed with guns (among other things, such as knives and harsh language). Should a bullet-proof vest manufacturer come out and say, "We're not taking aim at the gun manufacturers; we're talking about the ability to propel small things really fast and how that effectively serves criminals?"
From the sounds of it, it sounds like they're blaming the OSS model simply because malware authors use it. Although, I could have completely missed what TFA was saying; I'm really tired and I keep reading each paragraph over and over and I just can't grok it.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
Who brought you an "update" the other month that categorized files from "IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT" as viruses and promptly deleted them. Here's the story.
There are no uninteresting things. There are only uninterested people.
RTFA, seriously. That disclosure that they mention is _not_ the disclosure of OS code. If you RTFA, at that point they explain very well what they mean by "full disclosure" and it has _nothing_ to do with OSS any more. Their "full disclosure" is about researchers disclosing a vulnerability, together with ample instructions and proof of concept code of how it can be exploited. It has _nothing_ to do with Linux vs Windows, Closed Source vs F/OSS, etc. It's about disclosing vulnerabilities.
Basically what McAffee says is, "I wish researchers stopped telling everyone everything about this and that buffer overflow. Telling people everything about a bug only helps the evil hackers use it in a virus!!!111one1eleventeen" Not an exact quote, but that's the general idea they're peddling there.
Which is, in the nutshell, just the old "security by obscurity" argument. Which has already been debated to hell and back and is known to not work that way. And, frankly, it's weird to see McAffee preaching that attitude, because the anti-virus makers should know the best that it never worked that way.
A polar bear is a cartesian bear after a coordinate transform.
People shouldn't blame McAfee. They're just really stressed out. You'd be too, if you had to make Windows a secure OS.
I blame open source for the development of the interent.
Need Mercedes parts ?
Ah, well, it's McAfee, so being "better" than that doesn't really say much. I'm sure there are some good OSS AV programs out there, but comparing them to McAfee really doesn't say much. It's sorta like saying that they're better than a kick in the crotch.
Honestly, the last time I used that crap "security" suite of theirs, it was far worse than your average virus.
Among _many_ samples that proved massive cluelessness was the fact that as soon as it "updated" itself, it actually couldn't cope with being installed in a different directory than what the installer proposed, and proceeded to install the update as a second copy in the default directory. Both copies running at the same time. The combined effect was slowing my computer worse than some spyware cocktails I've seen on other people's computers. Uninstalling it actually uninstalled one copy, and left the other one running. I had to edit the registry and delete files manually to get rid of it.
Yes, you've read it right. If you thought manually editing the registry applied only to getting rid of viruses and spyware, now you can add McAfee's crap to that.
Other stuff included a sort of a "privacy guard" that, effectively, ruined access to any site that used cookies. Using most forums became impossible. File Planet thought simultaneously that I'm logged in and _not_ logged in. And so on.
And, as I was saying, many many other such annoyances.
But you know what takes the cake? This: on March 10, McAfee deletes system and Office files, thinking they're a virus
I mean, frankly, at that point their solution is worse than most viruses and trojans. A lot of viruses just sit there and silently send spam or redirect popups or whatnot. Having to reinstall half your apps used to be the mark of the nastiest and most anti-social malware. Now McAfee lets you experience that without the trouble of actually getting virused.
So, frankly, comparing anything to McAfee is going to look good. A turd on the side of the road seems better when you compare it to McAfee.
A polar bear is a cartesian bear after a coordinate transform.
Try the Slashdotter plugin for firefox...
Could be that they have to get that air of being against closed source off them after they found Excel to be a trojan (ok... some might claim it's not really a false positive, but still... a few companies didn't enjoy the idea of having their Excel removed...).
But quite seriously, could anyone please explain just HOW a malware author would benefit from open source? Because of the tools? Seriously, if you're writing software that's considered "illegal" in most places of this planet, would you care about licensing? Whether the software is free (as in beer and as in software) is pointless for him. If it's not free, he'll copy it illegaly.
Because they could learn how to write malware? The "real" malware projects are not open source, actually anything BUT it. First of all, major exploits are not shared, they're sold. Plain and simple. Malware is a business, just like a lot of other software, and they are by far the last to go for open sourcing, simply because it would cut into their revenue. Actually, the few snippets and code parts that ARE open source is one of the key sources for AV researchers, unless they want to go for the darker venues in the trade. And, finally, when knowledge becomes illegal, gimme a ring. Then it's time to leave the planet.
If you want to learn how to write malware, you needn't wade through open source projects. You won't find much worth finding.
So I don't really understand just why McA is targeting the OSS movement. There is little to be gained by malware writers through OSS, but a lot for those opposing malware. If anyone, it's the AV researchers who benefit from open sourcing malware. Because they would have a hard time explaining just why they would have sent money towards people wearing darker colored hats.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Sheesh.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Perhaps what McAfee is really afraid of is the open dialog and response of something like ClamAV?
If enough developers 'pool' into working on it, and an open dialog of faults and vulnerabilities continues, could they find themselves out of a job from an Open Source solution?
(especially as they are about to be challenged by MS Defender, which could also benefit from open dialoge to augment a shallower background in the field?)
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
we're talking about the full-disclosure model and how that effectively serves malware development
The open source, full-disclosure model improves the pace of ALL software development. All means all, including software development for "bad" purposes.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Just as the vendors claimed, this full-open-disclosure business is promoting distribution of powerful tools to, well, just anybody. Now the bad guys know about it and are using it. Can it get worse than this? Oh, sure. Try stopping it. __________________________________________ AllParadox - Retired Attorney, no legal opinions, just my opinion.
All is paradox. Retired lawyer, so this is just one more layman's opinion.
Someone needs to tell Macafee that it is time to put on their white shirts, roll up their sleeves, cross their arms and scowl.
Hackers use CVS? Seriously, who cares where they get their drugs, anyway?
Below are two excerpts from the paper, found, interestingly enough, using the "fortune" program. Yes, I know that the making of locks isn't exactly like the creation of software, but the principle remains the same. Security through obscurity is no security at all; however, if the standards and techniques are open and available to the public, we, the "experts" in the field, will actually be hold companies accountable for problems and shortcomings in their software.
Ne Cede Malis.
I know he is suggesting that they are not throwing snowballs at Open Source, but specifically at full disclosure. However, if you go ahead and a read a little more into it, phrases such as
"We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development," he said.
become more transparent.
What effectivly serves malware development also serves things like clamav and snort. I suspect this botnet thing is just a short term issue for them, the long term problem is full-disclosure used to defend oneself.
Maybe I am wrong. Maybe it is all about malware developers becoming more effective. If thats true then this reads like an appology for being ineffective.
Or maybe its just a sad cry for help. Like a suicide note left in a conspicuous place.
Its fun reading things into things.
I think you underestimate just how much I just dont care.
Maybe that's what McAfee really cares about. Full disclosure means, in part, that it's easier for new vendors and products to compete in the security field. Sticking with limited disclosure, where only the OS vendors and established security vendors are informed, just lets the established vendors get complacent. Which given the quality of modern security software I would say has already happened. So they throw a bunch of FUD around, as though the problem isn't in large part due to closed-source software vendors being incapable of getting their shit together when it comes to security.
I don't see why computers should be any different. Yes I want disclosure about security problems, espically if teh company is slow in getting a patch out. However disclose the problem, what it relates to, what the potential attack vectors, and what if anythign can be done to fix it. Don't go and post code that not only shows people how the exploit works but allows them to just compile and do it. Do that and in all likelyhood my system will be 0wned before I ever read the notice and try to do anything about it.
In an ideal world, a security researcher will discover a fix and do the following:
1) Create code that reliably exercises the flaw that can be used to verify that the problem really exists and that the fix (when it is finished by the vendor/OSS group) works. You can call this the "exploit code" if you want; it is necessary for someone to create it so that the fix in step 3 below can be tested.
2) Notify the vendor/group of the hole and pass along the exploit code.
3) The vendor/group evaluates the problem, assigns a reasonable fix schedule to it, and eventually a fix is produced, verified to work against the exploit code, and distributed to the world.
4) The hole is then announced on a security bulletin *along with the exploit code* to notify customers/users that might not have updated already that they should do so at their earliest convenience, and to provide customers/users (many of whom are knowledgable programmers) the same tool given to the vendors to verify that the hole is plugged in their systems.
This is a reasonable system. The whitehats try to do it all the time, and for many OSS projects it works out just this way. Blackhats OTOH do only #1 and then distribute the exploit code only to other blackhats, so that when they use a flaw both vendors and customers/users are taken unawares.
Unfortunately, many closed-source vendors break the whitehat process between steps #2 and #3. They are given notification and exploit code, but rather than prioritize a fix they decide that no fix is necessary, because their local astrologer told them that only whitehats find flaws. After enough time with no action, the whitehats MUST move on to #4 so that users can isolate the systems with the hole in order to preserve the rest of their network.
In your house analogy, this is equivalent to notifying a neighborhood that the developer who built many of their houses made a serious mistake in the wiring such that any house at any time might burn to the ground, and that their insurance will not cover it, and the developer has decided not to pay for a fix, and the local fire department has announced that they will not intervene to stop any fires that start due to a wiring fault.
A device is available that can quickly determine which houses are at risk. The developer is spending twice as much money needed to fix the wiring on ads in the local newspaper exhorting those citizens who have these "bad house detector" devices to destroy them rather than share them with their neighbors so that they can hire their own electricians.
The process YOU want is already being followed by the majority of legitimate whitehats. The process McAfee wants leaves everyone screwed.
I concur. Security is not a product, it's a process. Unfortunately, we let all the clueless people in who don't know the first thing about security. What should we do? Lock them out? Throw them out of the 'net 'til they learn how to keep their crate secure? I'm the first to sign that petition, but you'll have a very hard time getting it passed past the counter pressure of the industry trying to sell the 'net to them, since they are by definition a more interesting target group than people who know their tools and their net. Would you buy a virus scanner? A firewall solution? Hell, would you click a "punch the monkey" ad? Would you follow a spam mail?
Nope. But they do. And there's money to be made.
So those people are here, and they're here to stay. You can't teach them security. It's futile, I've tried. They care about their inter...thingwebsomething and mailing their auntie in Greece and that they can buy some pr0n online but being a spambot or trojan distributor, who cares?
Yes, MS's APIs contain some horribly insecure functions, coupled with the predominant (ab)use of admin privilege accounts (because some horribly written software requires it), and the fact that people would rather switch "everything on" before trying which setting is REALLY required. "Just make yourself admin and all works" is the creed.
Don't think it would be different if Linux/BSD was the dominant system. We'd get to see the same problem, except that people would surf around the 'net as root. The main difference would probably be that patches would start popping up more quickly, and if some program relies on an insecure function it would break 'til the programmer fixes it. Linux/BSD core people tend to be less lenient, especially with functions labeled "for debugging purposes only".
So AV tools are a stopgag against that problem. Yes, we see the same entry points abused time and again. Yes, it starts to be boring every time I dissect another trojan, only to find it uses the same routines to sink its hooks into the system. Yes, we tell MS to get rid of those functions and the only thing we get in return is "we can't".
So tell me how to solve this problem.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.