Slashdot Mirror
Consumer Reports Creates Viruses to Test Software
Maximum Prophet writes to mention an MSNBC article about a Consumer Reports plan to test anti-virus software by creating viruses. Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason. From the article: "Consumer Reports didn't create thousands of new viruses from scratch. Rather, it took a handful of existing viruses and created hundreds of slight variants, changing the malicious programs just enough to evade detection by an antivirus program with a list of known threats. That's a common trick in the virus writing world; it's standard for a successful virus to inspire dozens of variants. "
Clearly this is all just a cover. The Templars are using Consumer Reports as a cover to train a stable of elite Black Hat hackers, with which to take over the world. They're in a race against Communist China, the Russian Mob, and the NSA.
Any sufficiently well-organized community is indistinguishable from Government.
You know you're in trouble when Consumer Reports is pointing out that your software is worthless. As just about every /.er knows, pattern / signature based detection is all too easily circumvented. Unfortunately it's pretty much all we have. It has been my experience that enabling Heuristic based detection (in Symantec Corporate AV) at any level other than the default just leads to too many false positives.
Consumer Reports destructively tests many things. Why should it matter what they do to their own computers? As long as they don't release these viruses into the wild, there is no problem.
Security companies are objecting, on the grounds that they do not want the gaping holes in their software revealed to the public by Consumer Reports.
Track and chart data from your bike computer.
for one of their viruses getting out then by all means I think Consumer Reports should be allowed to continue.
Catching them after they are out is easy. The consumer really has so very little to go on from a "trusted source" in regards to virus scanning that the obscurity benefits the AVG companies. With a little more light on the subject we all benefit, all except the AVG companies. Guarantee that whomever CR picks is going to parade that around regardless of their stance before testing occurs.
Again, if CR is willing to accept liability for one of their tests getting out into the wild then I say go for it! Perhaps they should register their "new toys" with someone for backup? Of course that makes for another hole too.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
(See my Journal entry for the gory details) ... I would sincerely recommend they don't play with fire. There are too many ways that self-replicating programs can go wrong... or too-right, as in my case :-(
If they can guarantee containment, of course, a virus is completely harmless to the rest of the world. The problem comes when containment is breached because of something you didn't think of - and the problem with things you didn't think of, is that you didn't think of them [grin].
Simon (now a thoroughly-reformed character, honest guv)
Physicists get Hadrons!
Be sure to read our other Consumer Reports articles, where we:
- and -
Thanks, Consumer Reports. Thanks bunches.
____
~ |rip/\/\aster /\/\onkey
1) Virus writers will write exactly the same code, unless the boys at Consumer Reports are dedicated enough to come up with truly innovative virus variations. So there's no fear that someone out there will "get ideas."
2) Why not vet your software against somebody else's test suite? If CR wants to function as an extension of Symantec's R&D, let 'em. It's a win-win.
Human being (n.): A genetically human, genetically distinct, functioning organism.
Security companies are objecting, on the grounds that it's a generally accepted practice not to create viruses for any reason.
You mean they aren't already doing this internally? If not... what the hell are they doing all day? If they're just being reactive without testing their software against possible variants then their software isn't really useful. Though frankly I find antivirus software to be a cure worse than the disease. A 1/100 chance I'll get a virus that does bad things to my computer, or a 100% chance that my computer will run like crap due to NAV.
Solution? Backup all my documents (mostly pics) to a dvd monthly and trust my Linux box firewall/router/proxy to keep the bad bits out.
rooooar
You can use these files to test if your AV program is working
http://www.eicar.org/anti_virus_test_file.htm
That is exactly what virusscanner sellers do. They create new virusses, mutate them and test them out. Of course they don't do that in a internet or network-connected environment. In all cases this should be in a lab environment completely closed off from the exterior world.
What's the big deal here? A bunch of Windows computer with antivirus software running in a closed off network as to benchmark some programs. Happens with games, office software etc... nothing to see here, please move along.
Of course this way you also get stories (hoax, urban legends) like the one about Symantec releasing virusses to sell their software...
Custom electronics and digital signage for your business: www.evcircuits.com
This is a very good idea, IMO. I mean, for years the major security companies have been using fear tactics to push their software. For an almost equal amount of time, security-concious geeks have been critical of this software. Having a trusted, disinterested third-party like Consumer Reports put it to the test sounds like the perfect solution to this situation.
Its been a long time since someone outside of Norton has talked about how good a Norton product is, but they've been in the game for such a long time that they are trusted by the general public to do their job. I wonder how many would uninstall if Consumer Reports said that their product was utter crap? Or rather, how many would try to uninstall only to find that the uninstaller is broken too?
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
As a CR subscriber, I am utterly amazed that they even had the IDEA to construct a test like that, much less actually find capable programmers and do it. Perhaps that security company cold-called them and suggested it?
CR's technology reviews are often wrong in ways that would be laughable if they weren't so influential. Off the top of my head:
Has anyone here heard of this "Independent Security Evaluators" biz? I wonder how many of the viruses were still functional (not just infectious) after twiddling.
If this helps wake people up to the fact that anti-virus programs simply don't work, all the better. For example, at one time or another, nearly every antivirus package has declared applications with NSIS installers as malware. I remember having a McAfee trial on my computer, that would regularly make up infections. Yet, when a slightly updated version of a worm comes out, you're unprotected.
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
This is what real engineering is all about. It takes real software engineers, not code monkeys, to expost the vulnerability of a product, and report it to the consumers.
It's the duty of every engineer (those that can rightfully call themseleves engineers) to protect the public.
Clearly, classical antivirus software is not protecting us. Kudos to these folks for pointing out what should be the painfully obvious.
Soon they'll propose testing car safety by doing test crashes! Or testing fire retardants by trying to set them on fire. Damn those Consumer Reports fools!
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
FTA: "'Those viruses exist right now only on a CD in a sealed container in a locked cabinet in our computer lab,' Beckford said."
Seriously, it's not like these will ever exist outside of a lab, right? And if they do, the AV companies won't have any problem finding the source code, will they?
Isn't that kind of like telling the insurence institue that they can't change their car crash tests because car makers designed their cars only for specific crash tests? Gee, better not create anything that a car might run into, it's bad ethics!
----- Connection reset by beer
The eicar test-virus file is a great way to see how your computer/av-suite will react to a virus. However, it's not an effective test to see how the heuristics systems and such react. It's non-destructive, and every AV vendor makes sure that they can "catch" it. That's nice for making sure that your AV is running, or that your AV on some workstation reports back to the management computer that it caught a virus, but not for testing the ability of AV software to find new viruses that don't necessarily have definitions written for them yet.
----- Connection reset by beer
AV software WILL protect you from new viruses... Just not McAfee and Symantec's crap. Well I suppose I should rephrase: Their software can protect you, but not very well, not as well as others. Bitdefender appears to do the best job at finding viruses that it doesn't have in it's DB. AVG also seems to do a pretty good job.
That's what they are afraid of. Not that it will be revealed their software does nothing, it does work, just that there is cheaper software that works better.
I casually perused CR here and there, but I'd never really known much about them until a relative gifted me with a subscription. Here are a few things I like about them:
/.ers care about, like RFID and general privacy protection; taking strong pro-consumer stances that you don't see in other national publications.
1. They pay their own way. They purchase *all* of the products that they test and destroy, since cozying up to get sample products would tarnish their credibility.
2. They don't accept any advertising dollars within their magazine, since that might bias their reporting and tarnish their credibility.
3. They take a strong stand on protecting consumers beyond just good product recommendations. They do editorials and special reports on subjects that
When my gift subscription runs out, I plan on purchasing my own. Not only because I find the product articles useful and interesting; but because the Consumer's Union does other good things with my money.
Why are you letting these clowns ruin our country?
The /. summary says that "plan to test anti-virus software by creating viruses."
TFA says "Consumer Reports recently conducted one of the most thorough tests ever of antivirus programs. But to really put these security programs through the paces, the magazine hired a firm to create 5,500 new viruses, using them to test the antivirus software products for their ability to detect unexpected threats."
By the way: "In the results, McAfee scored in the middle of the pack. BitDefender and Zone Labs scored at the top, in part for the two program's abilities to detect new viruses."
CR's model which provides its independence also means it doesn't tend to have the chummy, early access relationship many other outlets have with manufacturers. Them actually doing really substantial tests also means that they tend to take longer than some other outlets. OTOH, I've rarely been led astray by a CR review on anything, computer related or not, so I'm pretty happy with them despite their limitations.
Even in the latest issue (September 2006), they persist in assessing the rate of Mac OS X spyware and virus infections by conducting a survey, an annual gaffe on their part. Rather than checking around and discovering that no such malware exists in the wild, they assume that computer users are able to judge for themselves the cause of computer difficulties.
This would be like studying the mechanisms of natural selection by way of a survey. Hey, whaddyaknow, turns out there's no such thing as evolution, a survey of Americans would have to conclude.
Consumers Union knows better. I don't know why they keep repeating this mistake.
-Waldo Jaquith
From the article: "I understand .. if you want to test a car's performance, you test the car put on road with lots of bumps on it," Marcus said. "But when you are talking about malicious code, there's a threat to public. There are professionals who know how to handle viruses. It should be left to them." (emphasis added)
Well, that's why Consumer Reports hired computer security professionals to work with on this. Maybe they're just mad that CR didn't ask them to be the security consultants... oh wait, that might be a conflict of interest for the product review. Tough.
$nice = $webHosting + $domainNames + $sslCerts
Consumers Reports is the most trusted amoung consumers. They put products through their paces and ensure they work well. With that said, yes Consumer Reports create viruses. They already have done so for testing lastest virus programs. Consumer Reports September 2006 issue has said this. They have rated Bit Defender as the best. The issue specifically said they created new viruses to test how well they did against new viruses not already in the signature lists.
People like Igor Muttik are just scared their crappy anti-virus software sucks. Mcafee ranked #6 in the Sept 2006 issue. And even if a CR virus got loose, CR can release the viruses details to venders immediately. The virus wouldn't last more than couple days.
\
Bitdefender doesn't catch all new viruses, updates are still important, it's just very good at finding new variants. That's what CR is testing here. Say a virus comes out that your software knows about but a variant comes along that it doesn't yet: Can it catch that? For some (like Sophos) the answer is no never, they check against a database and if it's not there you are SOL. For some like Bitdefender the answer is usually. They have a heuristic checking that works pretty well.
There's no magic bullet, there's no "buy this once and be secure forever" kind of solution, but there are better and worse ones out there. Bitdefender and AVG (probably others those are just the two I know) are reasonably good at stopping new, unknown variants. Synametc, well not so good.
Not even close to true, although it is the only current operating system with those characteristics and frankly, if you're installing XPSP2, that's not true either, because you're firewalled by default. Still, I've actually seen it happen to Win2k...
You have made a sp2 slipstream CD, yes?
The only reason XP is more vulnerable than 98 is that 98 is on the decline and most of the machines running it are shitboxes, so people aren't putting out new attacks and trying to take over Win98 systems. My Win98 got owned several times; I haven't gotten owned on XP yet.
Your idiot boss? Who's more foolish, the fool, or the fool who follows him?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The problem is that AV software at the moment scans for signatures of known malware. Essentially they are reactive.
What they should be doing more heuristic scanning, identifying malware by characteristics rather than looking for particular malware signatures.
This is a fundimental weakness in most existing AV software. Certainly this is harder to because legitimate software can do similar things to malware. That doesn't change the fact that AV companies should be concentrating more on this. This is particularly true as most "successful" worms get modified and re-released. As a result it should be possible for the AV companies to detect the altered worms.
Consumer reports is doing us all a service here by exposing this weakness. Provided they ensure the worms don't get out I'm all for it. This is a perfectly valid way of testing the malware. In addition FTA they are doing what most malware writers do anyway: altering the worm just enough so that it is likely to get past the signature based scanning software.
Shame on you McAfee.
meh