Slashdot Mirror

← Back to Stories (view on slashdot.org)

Consumer Reports Creates Viruses to Test Software

Posted by ryuzaki0 on from the trial-by-fire dept.

Maximum Prophet writes to mention an MSNBC article about a Consumer Reports plan to test anti-virus software by creating viruses. Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason. From the article: "Consumer Reports didn't create thousands of new viruses from scratch. Rather, it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats. That's a common trick in the virus writing world; it's standard for a successful virus to inspire dozens of variants. "

19 of 241 comments (clear)

  1. Of course they are... by Theaetetus · · Score: 5, Insightful
    Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.
    Well, yeah. Plus, you'll expose all the weaknesses in their software. Testing security only emboldens the terrorists!
    1. Re:Of course they are... by Lulu+of+the+Lotus-Ea · · Score: 4, Insightful

      Plus the fact that the anti-virus companies don't like the competition from Consumer Reports; after all, it's those companies that themselves create most of the "proof-of-concept" viruses to scare potential buyers (especially to create scares of vulnerability on OSX, Linux, BSD, etc... where no real vulnerability exists).

      --
      Buy Text Processing in Python
    2. Re:Of course they are... by Bastian · · Score: 5, Insightful

      Of course, this isn't really why they are objecting. Whatever McAfee and Symantec say, writing proof-of-concept exploits seems like standard practise to me. My best guess is that their fear is that this might cut into their profits because Consumer Reports is going to make the non-geek public more aware of the limitations of antivirus software. This could make them decide, "Well, if it can't protect me from all the viruses, especially not the new ones, than maybe it's not worth the money."

      Of course, Consumer Reports is almost certainly responsible enough to address this issue and point out to people that it's really a reason why they need to be updating their virus definitions as frequently as is practical.

    3. Re:Of course they are... by Hoi+Polloi · · Score: 5, Insightful

      I hear the Yale company is still furious over the time Consumer Reports tried a bunch of random combinations on their locks.

      --
      It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
    4. Re:Of course they are... by telbij · · Score: 4, Insightful
      Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.


      I also had to quote this sentence because it's so silly. It's generally accepted practice by people who don't create viruses. Obviously a lot of people are creating viruses whether blackhat or whitehat or greyhat. Now where's my MAD magazine?
    5. Re:Of course they are... by vought · · Score: 5, Insightful

      that it's a generally accepted practice not to create viruses for any reason

      It was generally accepted practice for 50 years not to crash perfectly good cars. Until we started learning that we could protect the occupants of said cars better by finding out where the weak points were...by crashing perfectly good cars.

      What are Symantec. et al afraid of?

    6. Re:Of course they are... by Schraegstrichpunkt · · Score: 3, Insightful
      (especially to create scares of vulnerability on OSX, Linux, BSD, etc... where no real vulnerability exists).

      The vulnerabilities do exist; they're just not being exploited nearly as much. Of course, run-of-the-mill signature-based antivirus software is equally flawed, as Consumer Reports has shown and security geeks have already known.

      --
      http://outcampaign.org/
  2. 1st comment?! by dave562 · · Score: 4, Insightful
    And I'm not even a subscriber?!

    You know you're in trouble when Consumer Reports is pointing out that your software is worthless. As just about every /.er knows, pattern / signature based detection is all too easily circumvented. Unfortunately it's pretty much all we have. It has been my experience that enabling Heuristic based detection (in Symantec Corporate AV) at any level other than the default just leads to too many false positives.

  3. It is their property by Anonymous Coward · · Score: 4, Insightful

    Consumer Reports destructively tests many things. Why should it matter what they do to their own computers? As long as they don't release these viruses into the wild, there is no problem.

  4. Corporate Honesty by recordMyRides · · Score: 3, Insightful

    Security companies are objecting, on the grounds that they do not want the gaping holes in their software revealed to the public by Consumer Reports.

    --
    Track and chart data from your bike computer.
  5. There's no good reason to object to this by cagle_.25 · · Score: 4, Insightful

    1) Virus writers will write exactly the same code, unless the boys at Consumer Reports are dedicated enough to come up with truly innovative virus variations. So there's no fear that someone out there will "get ideas."

    2) Why not vet your software against somebody else's test suite? If CR wants to function as an extension of Symantec's R&D, let 'em. It's a win-win.

    --
    Human being (n.): A genetically human, genetically distinct, functioning organism.
  6. Good Idea by Apocalypse111 · · Score: 4, Insightful

    This is a very good idea, IMO. I mean, for years the major security companies have been using fear tactics to push their software. For an almost equal amount of time, security-concious geeks have been critical of this software. Having a trusted, disinterested third-party like Consumer Reports put it to the test sounds like the perfect solution to this situation.
    Its been a long time since someone outside of Norton has talked about how good a Norton product is, but they've been in the game for such a long time that they are trusted by the general public to do their job. I wonder how many would uninstall if Consumer Reports said that their product was utter crap? Or rather, how many would try to uninstall only to find that the uninstaller is broken too?

    --
    There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
  7. Re:Hey, if it's good for AV products... by ifrag · · Score: 5, Insightful

    I'll take a stab at that first example of attempting to break into [a] home, since that's the only one that's comparable to what it seems they are doing. If CR wants to setup a test home in which to practice breaking in that's fine, it's their property and they can do with it what they want. It's a test scenario... saying they'd go out and break into consumer homes is not a good parallel. Consumer Reports is (hopefully) not going to create any public security risk in their process if it really is self contained. As long as it stays within their little "sandbox" I don't see what the problem is. The second two examples deal with people instead of objects so it obviously doesn't make for an easy expendable test case.

    --
    Fear is the mind killer.
  8. How well did they do it? by frankie · · Score: 4, Insightful

    As a CR subscriber, I am utterly amazed that they even had the IDEA to construct a test like that, much less actually find capable programmers and do it. Perhaps that security company cold-called them and suggested it?

    CR's technology reviews are often wrong in ways that would be laughable if they weren't so influential. Off the top of my head:

    • monitor reviews with photo display tests, where it was obvious to me that no one involved had ever heard of the phrase "gamma correction"
    • claim that a two-digit percentage of Macs were infected with spyware
    • a seemingly uncanny ability to review hardware obsoleted by newer versions in the interim between testing and publication

    Has anyone here heard of this "Independent Security Evaluators" biz? I wonder how many of the viruses were still functional (not just infectious) after twiddling.

  9. Re:Speaking as one who has been burned... by Guysmiley777 · · Score: 5, Insightful

    If they can guarantee containment

    How hard is it to unplug a network cable in your world? Don't use a machine with a WiFi card. Low level wipe the drives from a bootable CD when you're done. Not really rocket science.

    --
    Coding with assembly is like playing with Legos. Coding an application in assembly is like building a car with Legos.
  10. Claims shouldn't be verified by Hoi+Polloi · · Score: 4, Insightful

    Soon they'll propose testing car safety by doing test crashes! Or testing fire retardants by trying to set them on fire. Damn those Consumer Reports fools!

    --
    It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
  11. Re:Speaking as one who has been burned... by Space+cowboy · · Score: 3, Insightful
    We weren't trying to contain it, in our case - we *wanted* to see if it would work as well as we thought it would. The problem came because we *didn't* think about the consequences of someone using a floppy - we were focussed on the network aspects.

    So, we had a general routine to write a !boot (an autoexec-on-read-the-media) file, and hadn't considered the sequence of events of:
    • someone writing the virus to a floppy
    • Us wanting to get rid of the virus
    • That person bringing the floppy back into the lab and re-infecting the network.
    • Oh sh*t!

    So, even though we knew exactly what it was capable of, we hadn't considered the actions of one of those infected, and *that* caused us problems. It's not the capabilities that changed, it's the environment. You don't tend to find that out until you've hit the problem, or you would have dealt with it in the source code - that's all I'm saying...

    Oh, and I'm sure they'll take a more-responsible attitude than we had, we *were* 1st-year students...

    Simon.
    --
    Physicists get Hadrons!
  12. Bravo, Consumer Reports by osgeek · · Score: 4, Insightful

    I casually perused CR here and there, but I'd never really known much about them until a relative gifted me with a subscription. Here are a few things I like about them:

    1. They pay their own way. They purchase *all* of the products that they test and destroy, since cozying up to get sample products would tarnish their credibility.
    2. They don't accept any advertising dollars within their magazine, since that might bias their reporting and tarnish their credibility.
    3. They take a strong stand on protecting consumers beyond just good product recommendations. They do editorials and special reports on subjects that /.ers care about, like RFID and general privacy protection; taking strong pro-consumer stances that you don't see in other national publications.

    When my gift subscription runs out, I plan on purchasing my own. Not only because I find the product articles useful and interesting; but because the Consumer's Union does other good things with my money.

    --
    Why are you letting these clowns ruin our country?
  13. Because it's not 100% by Sycraft-fu · · Score: 4, Insightful

    Bitdefender doesn't catch all new viruses, updates are still important, it's just very good at finding new variants. That's what CR is testing here. Say a virus comes out that your software knows about but a variant comes along that it doesn't yet: Can it catch that? For some (like Sophos) the answer is no never, they check against a database and if it's not there you are SOL. For some like Bitdefender the answer is usually. They have a heuristic checking that works pretty well.

    There's no magic bullet, there's no "buy this once and be secure forever" kind of solution, but there are better and worse ones out there. Bitdefender and AVG (probably others those are just the two I know) are reasonably good at stopping new, unknown variants. Synametc, well not so good.