Antivirus Firms Out of Their League With Stuxnet, Flame

← Back to Stories (view on slashdot.org)

Antivirus Firms Out of Their League With Stuxnet, Flame

Posted by timothy on Monday June 4, 2012 @12:05AM from the doesn't-say-much-good-for-their-product dept.

Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"

53 of 233 comments (clear)

Helps when you have the OS companies helping by trout007 · 2012-06-04 00:11 · Score: 5, Interesting

I mean seriously does anyone think the OS companies aren't in on this type of operation?
It reminds me of the CIA-Xerox story.
http://dagmar.lunarpages.com/~parasc2/articles/0197/xerox.htm

--
I love Jesus, except for his foreign policy.
1. Re:Helps when you have the OS companies helping by Narcocide · 2012-06-04 00:18 · Score: 5, Interesting
  
  Well thats one good theory, but I suppose that if its possible to make a virus like Stuxnet primarily target only computers that control Iranian Uranium enriching centerfuges it would be also possible to write the same virus to *avoid* activating itself anywhere in sight of machines owned by anti-virus corporations.
  There's still some level of plausible deniability here, the real question is what to do about the fact that installing anti-virus software in the first place is, while not effective enough, also the limit of most user's capabilty to secure their computers.
2. Re:Helps when you have the OS companies helping by Anonymous Coward · 2012-06-04 00:23 · Score: 2, Interesting
  
  For that matter, an anti-virus expert would be a good person to ask how to get past anti-virus.
3. Re:Helps when you have the OS companies helping by damien_kane · 2012-06-04 00:51 · Score: 2
  
  Not the OS companies, the AV companies
  Ironic, no, that a virus with a definite source that isn't an AV company is also immune to those same AV companies?
4. Re:Helps when you have the OS companies helping by trout007 · 2012-06-04 01:48 · Score: 5, Informative
  
  And only 90 minutes later....
  http://news.slashdot.org/story/12/06/04/1211206/microsoft-certificate-was-used-to-sign-flame-malware
  
  --
  I love Jesus, except for his foreign policy.
5. Re:Helps when you have the OS companies helping by PPH · 2012-06-04 02:25 · Score: 5, Interesting
  
  The tin foil hatters who worry about NSA-mandated back doors should be worrying about how many code signing keys the CIA/FBI/NSA/Pentagon have extracted from Microsoft. Or borrowed from gov't contractors (Boeing/Lockheed/etc).
  And how many US based AV companies, have "found something" out there on the Internet and put it into their database. But then failed to act on it at the behest of one of these TLAs.
  That may be one reason Kaspersky has blown the whistle on a few things recently. How is the NSA going to call a Russian company and ask them to sit on some information without that making its way into their intelligence services? And used as leverage in future political events?
  
  --
  Have gnu, will travel.
6. Re:Helps when you have the OS companies helping by stephanruby · 2012-06-04 02:47 · Score: 3, Insightful
  
  Sure, the OS companies. Yes.
  But not the anti-virus companies, which is what we're talking about here. The anti-virus companies are just script kiddies. Their core competencies are public relations and cookie scaremongering, but that's all. They do not pay people to do original research, that would cut into their profit margins.
  If they can detect something, it's only because someone else did the research and posted it on their blog. Once someone has written some manual instructions for detecting the malware and removing it, the anti-virus companies are capable of writing a script that tries to do the same automatically, but even that sometimes stretches the limit of their capabilities since they can't even do that part correctly many of the times.
  The real research is done by people like Mark Russinovich (and yes, you don't have to trust anything he has written after his company was acquired by Microsoft, you can just take a look at his oldest blog posts first -- which pre-date the acquisition).
7. Re:Helps when you have the OS companies helping by mrex · 2012-06-04 02:55 · Score: 4, Insightful
  
  Right down to Microsoft's "mistake" in their Terminal Server certificate assignment process, that "accidentally" allowed those certificates to be used to sign code.
8. Re:Helps when you have the OS companies helping by ganjadude · 2012-06-04 06:09 · Score: 2
  
  He actually didnt say anything other than post the link that it was a microsoft signed article
  
  yeah, i know, dont feed the trolls
  
  --
  have you seen my sig? there are many others like it but none that are the same
9. Re:Helps when you have the OS companies helping by stephanruby · 2012-06-04 12:32 · Score: 2
  
  Then, how do you interpret the first line of the specific article you linked to?
  
  Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.
  That Dutch Profibus expert was Rob Hulsebos, Industrial Network Expert and Owner of Enode Networks. The guy is an independent consultant, and could use the publicity. Don't you find it odd that Symantec didn't name him as their source?
  Granted, he may have been under contract at the time, or he may have had a thousand and one reasons not to be quoted by name directly (liability reasons, or whatever).
  In any case, the anti-virus companies are really not incentivized to reveal their original sources. I don't know if this is what happened in this case, but then again, I have pretty lowly opinion of anti-virus companies so I may not being objective in all of this.
First, antivirus authors used generic tools to... by ArsenneLupin · 2012-06-04 00:11 · Score: 4, Insightful

... write their warez. And they were easily disassembled, and recognized for the evil they were.
Then they started using custom packers and obfuscaters, making them as hard to reverse engineer as Skype.
But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...
So, now they went back to using generic tools and libraries. Full circle!
P.S. by CajunArson · 2012-06-04 00:15 · Score: 5, Insightful

If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:P.S. by Opportunist · 2012-06-04 01:11 · Score: 3, Funny
  
  Not wanting to break NDAs but: You overestimate the intelligence in intelligence...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:P.S. by drinkypoo · 2012-06-04 02:53 · Score: 3, Interesting
  
  If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.
  Why not? Granted, they have access to all the same attacks the rest of us do, but Windows is the only operating system whose back doors they are in a position to be effectively the sole parties familiar with them. Remember when Microsoft was shown to be guilty of violating its monopoly status? Remember how nothing ever came of that? No, something came of that. Microsoft is now a part of the same group of assholes that controls politics in america. Bill Gates is in like Flynn; he does as he's told and controls vast sums.
  You may have noted (here and elsewhere) that the US government told people to use Vista for security. That announcement was met with loud guffaws here on Slashdot, but I presumed then and presume now that it was because it's the operating system they're deepest into. But presumably they've been deep into Windows since NT.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:P.S. by hairyfeet · 2012-06-04 06:39 · Score: 2
  
  I'm sorry friend but you are dead wrong and in fact I'd argue that many of the open source projects would probably be EASIER to plant bugs in than Windows, why? Because there are a ton of projects that are made up of a handful of guys that are always understaffed. Don't think those guys would welcome a highly skilled volunteer from XYZ Corp? And just because the code is open don't mean any people with the skills to spot a highly obfuscated bug actually look at the code, look at how an infected Quake 3 was in the repos for over a year and a half.
  So I'm sorry friend but all it takes is money and desire and the three letter agencies have both in abundance so it really wouldn't be hard. Look at how many packages are used in damned near every distro, now tell me have YOU looked at the code for all those common packages? How well do you know the teams that made them? Its not magic folks, you find a weak spot and exploit it and with so many FOSS projects understaffed that is a nice target for exploitation, pure and simple.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
Please, it's "Lua", not "LUA" by TimHunter · 2012-06-04 00:15 · Score: 5, Informative

"Lua" (pronounced LOO-ah) means "Moon" in Portuguese. As such, it is neither an acronym nor an abbreviation, but a noun. More specifically, "Lua" is a name, the name of the Earth's moon and the name of the language. Like most names, it should be written in lower case with an initial capital, that is, "Lua". Please do not write it as "LUA", which is both ugly and confusing, because then it becomes an acronym with different meanings for different people. So, please, write "Lua" right!

http://www.lua.org/about.html
1. Re:Please, it's "Lua", not "LUA" by Eth1csGrad1ent · 2012-06-04 01:35 · Score: 5, Funny
  
  Ahh yes, Lua... thats tied to Angry Birds isn't it?
2. Re:Please, it's "Lua", not "LUA" by BanHammor · 2012-06-04 03:50 · Score: 2
  
  Just add an extra vertical line here, and you are all set.
It is very simple. Virus "protection" isn't by Anonymous Coward · 2012-06-04 00:18 · Score: 5, Insightful

You cannot solve the virus problem as it is an impossible situation.
The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.
The proprietary vendors are failing at that. Their fault is in the "not invented here" area as they cannot allow non-proprietary solutions to exist. And when they prevent shared solutions, they leave things overlooked, and then bugs, and then allow for virus entry.
Not everyone can know everything - especially isolationist companies. These do not hire people that worked with other companies very well, as they are afraid of "code contamination". Those that have significant cross licensing powers could hire... but they usually also have "anti-poaching" agreements as well. This results in the lack of cross training in various techniques of programming, and promote internal bad practice... and the development of bad policies on how to program.
1. Re:It is very simple. Virus "protection" isn't by RobbieThe1st · 2012-06-04 00:26 · Score: 5, Interesting
  
  To be fair, giving out your OS encryption keys to "friendly" nation-states for signed malware basically means that your OS, no matter how securely designed, will always have such malware.
2. Re:It is very simple. Virus "protection" isn't by localman57 · 2012-06-04 00:30 · Score: 4, Interesting
  
  The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.
  I agree with the second part. The first part is probably wishful thinking with the exception of products that are small enough or well funded enough that you can do proofs of their security (such as a couple of the real-time operating systems out there).
  
  I think it's interesting to look at the way that safe vault makers approach this problem. No safe maker ever guarantees their safe to be uncrackable. Rather, they have a standard which basically says "A well qualified attacker with knowledge of the safe's internal workings, but no knowledge of the combination or access to the keys can be expected to breach this safe in X amount of time." They know it's a matter of when, not if. Encryption software people seem to get this as well.
3. Re:It is very simple. Virus "protection" isn't by camperdave · 2012-06-04 00:36 · Score: 3, Interesting
  
  I've always wondered about "selfing" the software installed on a machine. In the body, cells that are part of the body are identified with a protein marker, and the immune system ignores cells with that marker. When a cell does not have that marker, it is considered a foreign invader and is destroyed. So, with software, you would have to add a marker code to it - branding it, as it were - for it to be acceptable to the antivirus software. Essentially, it would be a whitelisting system.
  
  --
  When our name is on the back of your car, we're behind you all the way!
4. Re:It is very simple. Virus "protection" isn't by Anonymous Coward · 2012-06-04 00:53 · Score: 5, Interesting
  
  You don't even need to "give" them out. Flame was "signed by Microsoft" by exploiting a vulnerability in Terminal Services Licensing Server.
  "Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."
  from Microsoft releases Security Advisory 2718704
5. Re:It is very simple. Virus "protection" isn't by jythie · 2012-06-04 01:04 · Score: 4, Insightful
  
  Thing is, even with those proved systems, no amount of security is going to stop a good social engineering attack. At some point all systems will have some mechanism for changing their functionality unless the whole thing is ROM and has a hardware enforced switch for being able to change things... and even then all you need is one careless tech or a corrupt contractor and poof, you are infected.
  
  Technological solutions can improve the situation, but are not a panacea.
6. Re:It is very simple. Virus "protection" isn't by drinkypoo · 2012-06-04 02:57 · Score: 5, Interesting
  
  When Microsoft finally got around to making a new TCP stack for Vista they reintroduced all the old bugs that were in the old stack because they proceeded from the same assumptions, forgot everything they learned improving the old stack, and went boldly forth like complete assholes. As a result you could teardrop or LAND Vista RCs. How does this happen? Because they were not using good programming practices.
  So it's true, you can't make NO vulnerabilities. But you CAN adopt not just good but proper practices that reduce the number of vulnerabilities you create. This is something Microsoft should try.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
7. Re:It is very simple. Virus "protection" isn't by roothog · 2012-06-04 03:17 · Score: 2
  
  You should look up Stephanie Forrest's research. She's been doing things like that for the past 20 years. To give you an idea, she has a mid-90's paper called "A Sense of Self for UNIX Processes".
Maybe it's up to the OS by Dan9999 · 2012-06-04 00:22 · Score: 5, Interesting

AV software is picking up the slack for badly designed operating systems. Kernels, drivers, the shell, the UI of software, management control and process control have all spiralled out of sync in their evolution in all OSes bar none which is a perfect breeding ground for this.
Come on OS's, raise that bar so that AV companies can do the same.
Wah... by Anonymous Coward · 2012-06-04 00:23 · Score: 5, Funny

Wha. We suck. But, what can you do?
Your subscription has expired. Please upgrade to Our Steaming Pile 2013. Now with more steam. Also, we hid some options to make it more challenging/interesting for you!
Conspiracy theory by seyfarth · 2012-06-04 00:29 · Score: 3, Interesting

With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.

--
Ray Seyfarth, ray.seyfarth@gmail.com, http://rayseyfarth.blogspot.com
Re:First, antivirus authors used generic tools to. by Toth · 2012-06-04 00:31 · Score: 5, Interesting

Interesting article at the Internet Storm Center "Why Flame is Lame"
http://isc.sans.edu/diary.html?storyid=13342#comment
AV companies outside their element? by slack_justyb · 2012-06-04 00:39 · Score: 5, Informative

I've not held much faith for anti-virus companies. Never was I under the idea that AV software would stop a *real* virus. To me, anti-virus software is just a way to keep the script kiddies and adware ActiveX controls off a system. Good computing habits preclude the need for AV software. Just my two cents.
1. Re:AV companies outside their element? by upside · 2012-06-04 01:43 · Score: 4, Informative
  
  Pretty much what Mikko Hypponen is saying in the article:
  
  The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.
  
  --
  I'm sorry if I haven't offended anyone
2. Re:AV companies outside their element? by Kjella · 2012-06-04 01:50 · Score: 4, Insightful
  
  Good computing habits preclude the need for AV software. Just my two cents.
  And how exactly would you know if mozilla.com has been compromised or if someone is running a MITM on you? Or if you're going to drag up Linux, how sure are you that not a single signing key to any package on your system is compromised? Good computing habits are good enough for my single consumer desktop, but they're not exactly hardened servers with tripwires, traffic policies, alerts and intense traffic monitoring. If they send a "real" virus directed towards me, I wouldn't bet too much on my good habits. It's all relative to the threat level, just like my apartment is fairly safe against common burglars but it's not exactly a jeweler's shop with millions in value nor it is a military bunker.
  As for AV software, yes I run it as a second opinion. Personally I don't think I'm too smart to make a blunder, or the odd combination of a seeming trusted download and an old virus signature the AV will detect. Besides, how do you know your own opinion is correct? It's not like they announce themselves, it could be sending out your credit card into and be a proxy to everything without telling you. The silent ones are far more dangerous than the popup infestations and ransomware.
  
  --
  Live today, because you never know what tomorrow brings
3. Re:AV companies outside their element? by slack_justyb · 2012-06-04 03:40 · Score: 2
  
  it could be sending out your credit card into and be a proxy to everything without telling you
  Don't use your credit card for online purchases, or in my case, setup a secondary bank backed CC that has limited access to your primary funds. Move funding into the secondary as needed. Even if they get the CC number I use on the Internet, at best they are leaving with $11.38 at the current moment.
  
  or if someone is running a MITM on you
  Long story short, there are connections where I care about MITM and those that I don't care about them. The ones where I don't care are because even if there was a MITM attack, they've gain absolutely nothing that they couldn't have already gained without attacking me. The ones where I do care, the connection is verified using a method not attached to the Internet. Most MITM attacks are simply watching the Internet traffic and are unaware that second and third channel communications are going on to verify the Internet connection.
  
  how sure are you that not a single signing key to any package on your system is compromised
  Again, long story short. Even if someone sent me a bad package, they'll gain nothing as nothing is stored on the machine and the machine has limited access to the information that I'm currently using. The state the machine was in when I get to it, is the state I leave the machine in. As far as network and CPU resources, simply checking your logs will show you any spikes that are out of the usual. A home PC has very little objective value. Usually CC, personal, contact, web history, etc or CPU and bandwidth. Not very difficult to protect that information if you do not keep it on your machine and check your logs. Targeted attacks to get deeper information would spend more money on the attack then on what they gained, I'm okay with the idea that the ROI for the robber is in the negative. That'll teach them.
  
  Also that's a little disingenuous, most distros use one or two keys to sign all of the packages. So I would have to check one or two keys at most. Not exactly a huge sample size. Secondly, someone did hijack a key on Fedora at one point. It was easy to see that the key was jacked, and to check binaries at the tree in large volumes for differences. No differences were found, but if there were, code reviews would be possible to ensure that new builds wouldn't add in non-reviewed code. A signing key getting jacked isn't exactly a huge problem so long as the binary matches binaries built from reviewed code (aka checksums). MD5 has the ability to have collision which is why distros provide SHA and MD5 checksums, to mitigate that risk. A jacked key is only of value if no one finds out about it and bad code can get pushed to systems without no one knowing. So jacked keys require a pretty heafty level of keeping quiet and silently moving updates in while no one is looking. Given that usually a good number of people are watching this, jacked keys are poor for targets at the mass. You'd want to use a hijacked private key at a very small target, because as soon as someone sounds the alarm, your key is usless. The fewer the eyes, the less the chance of getting caught. However, I do indeed check my binaries aganst checksums to make sure that updated packages match known good packages, so I'd be a tripwire for this kind of attack, they may hit me, but they would loose all value in their key. Again, the ROI would be negative on their side because they could have done a lot of damage, but if they hit the one guy that's paranoid and goes back and checks the binarys on every update, boom all that damage they could of done is gone.
Re:Failed to detect? by AHuxley · 2012-06-04 00:47 · Score: 2

Its Windows, a long list of new code efforts every day, in the wild and doing damage to end users systems.
They get the worst first and work back.

--
Domestic spying is now "Benign Information Gathering"
A better solution: by bmo · 2012-06-04 00:47 · Score: 5, Funny

Release armies of flying cats.
Because if you're going to ignore what's in your database for two years, well, flying cats are better.
https://www.youtube.com/watch?feature=player_embedded&v=-S4DZ_aWNuU#!
--
BMO
A: because it breaks the flow of a message by DNS-and-BIND · 2012-06-04 01:02 · Score: 5, Funny

Q: Why is starting a comment in the Subject: line incredibly annoying?

--
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Re:First, antivirus authors used generic tools to. by bughunter · 2012-06-04 01:04 · Score: 5, Interesting

but it gets a bit kinky later where they're detecting themselves...
It's not kinky at all. They all do it, most of them nearly every day, but few of them admit it.
Kinky is two of them detecting each other...

--
I can see the fnords!
Re:First, antivirus authors used generic tools to. by postbigbang · 2012-06-04 01:09 · Score: 2

Seen another way: Like all artillery system designers, you study the target, understand the medium thru which the the shell must transverse, and get the payload to the target.
To think that Symantec and AVG and Kaspersky et al are omnipotent is silly. At some point, each of these companies has to avoid false positives because they get the worst PR possible when they make mistakes. There are millions of legitimate apps out there, no matter how well or poorly written. It's a matter of getting to the correct controller, seeding it with destructive code, and making sure the code survives long enough to deliver the damaging payload that's necessary. Certainly the explanation is vastly more simple than the deed, but it's the deed that was successful. Does one generate malware detection that traps such a thing: Maybe-- but you don't give it to anyone because no civilians have centrifuges that are used to make weapons grade material.

--
---- Teach Peace. It's Cheaper Than War.
What about the others? (Smart Fortress 2012) by Anonymous Coward · 2012-06-04 01:09 · Score: 4, Interesting

My Dad's work PC got infected with "Smart Fortress 2012" mid-May. My mistake, I wasn't taking care of Flash and Acrobat reader. But an otherwise up-to-date XP, with an up-to-date Norton antivirus installed, got infected through a webpage. And even though the account was not an administrator account, Smart Fortress 2012 not only disabled Norton antivirus but rendered it inoperable - it had to be reinstalled (through the Administrator account).
Lesson learned. Don't trust much Norton, don't trust much anything else and tighten up as much as possible.
Nothing new here by Shoten · 2012-06-04 01:46 · Score: 4, Insightful

Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel. Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians. The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry, while any armored military vehicle would shrug off an attack using weapons available to civilians. There are many other analogues involving surveillance technologies, etc. that show the dichotomy that has always existed between the military/intelligence communities and the civilian world.
But so what? Of course their tools are more sophisticated...they should be. The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.

--

For your security, this post has been encrypted with ROT-13, twice.
1. Re:Nothing new here by Anonymous Coward · 2012-06-04 02:20 · Score: 2, Funny
  
  Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.
  You should c'mon down and visit us here in Texas.
2. Re:Nothing new here by drinkypoo · 2012-06-04 02:49 · Score: 4, Interesting
  
  Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel.
  ballocks
  
  Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.
  Oddly enough, you can have all the same typical service issue ammo that the military uses.
  
  The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry
  ...though neither do most military vehicles...
  
  while any armored military vehicle would shrug off an attack using weapons available to civilians
  Except for IEDs, for which we are having to redesign our entire fleet basically.
  
  The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.
  Things have been going very, very badly for a long time. Companies like Coca-Cola and Nestle have their own military forces in third world countries. Corporatists have utterly taken over the majority of world governments. So while I agree with your premise, I don't agree with your conclusion. Civilians already have that capacity, and they always have, and things are already going that way.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Nothing new here by Threni · 2012-06-04 03:03 · Score: 2
  
  > Except for IEDs
  Exactly. Idiot goat farmers or whatever can take out the latest US vehicles again and again using cheap, readily available ingredients with innocous legal uses plus a digital watch or walkie talkie. Such a shame the whole miliary/industrial complex is based on attacking Russia or whatever.
  Remind me again, which month do I have to work until before I start earning money for me and not just the taxman?
4. Re:Nothing new here by moeinvt · 2012-06-04 09:11 · Score: 2
  
  "...bullets fired from the primary weapons carried by military personnel..."
  There is no appreciable difference between the penetrating power of a projectile fired from a military rifle and one fired from the civilian equivalent of the same weapon. In fact, many of the civilian model AR-15s are "Mil-Spec" and a lot of the bulk ammo available is military surplus. The difference is only in rate of fire. Military versions can selectively fire in 3 round burst(or full auto on older versions).
  "military-grade body armor will stop rounds fired by 99% of the weapons held by civilians"
  Well, I don't have an accurate picture of the breakdown of civilian weapon ownership, but the protection ratings on the body armor are standards. The armor is either "Level 3" (or whatever) or it's not. Nothing special about military versions.
Antivirus is a poor solution anyway by SCHecklerX · 2012-06-04 02:12 · Score: 4, Insightful

Once you are hit, it is already too late.
What we as sysadmins and users should focus on instead is prevention.
Unfortunately, prevention relies mostly on end user education. They will always download that cool image, or play that game, forward that e-card, etc. You can't cure user stupidity with technology. The car analogy would be, well, eliminate cars and make everyone take the train.
Out of their league by sir-gold · 2012-06-04 02:37 · Score: 3, Insightful

Of course they are out of their league with stuxnet and flame. The AV companies are used to fighting teenage hackers and Russian mobsters, they aren't prepared to fight the two of the highest funded militaries in the world (USA and Israel). It's hard to beat the enemy when they outnumber and "outgun" you by a factor of 100,000
1. Re:Out of their league by gweihir · 2012-06-04 03:26 · Score: 2
  
  Surprisingly though, Stuxnet was a good demonstration of how incompetent hackers will write their malware. There is quite a bit of mistakes, errors and incompetence in it. Of course, the Iranian defenders were even more incompetent, whit no independent safety systems on their centrifuges that would have prevented the damage. Really pathetic on both sides.
  This basically shows that you can get past current AV software with something that is not very good in any regard. It also shows that the AV approach is fundamentally flawed.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:apk is fail by drinkypoo · 2012-06-04 02:59 · Score: 2

who is that 'U' who keeps failing (according to you) ? there is no user named 'U' on slashdot, so who is it ?
Whoever replies to apk fails. I've done it. Don't do it.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Not a surprise by gweihir · 2012-06-04 03:23 · Score: 2

From a certain attacker competence and resource level upwards, a leaky bucket like Windows cannot be fixed anymore. It takes competent system administration on a solid platform and a minimal attack surface. It also takes quality engineering with security in mind on everything that is reachable over the network. Most current software is so pathetically insecure (and yes, that includes quite a bit of FOSS software), that no amount of add-ons will ever make it secure.
On the other hand, software that was done with sound secure software engineering practices, competent personnel and adequate resources is very hard to attack and will quite often be impossible to attack. The saying that everything can be attacked is just a lame excuse for insecure software. It has no relation to what can actually be done.
What the article also shows is that the reactive, try-to-patch-thousands-of-tiny-holes-on-insecure-platforms-by-external-software that the AV companies are selling is fundamentally limited. This is not a surprise to any real security expert.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Right... by Corson · 2012-06-04 03:45 · Score: 2

Flamer has been out in the wild since cca. 2007, with a MS signed certificate, and the first IT security organization that decides to bring it to public attention is a Russian company, and the first removal tool is from a Romanian company. Right, because all of these antivirus companies are so dumb they cannot detect a 20 MB spyware pack on Windows machines for four years.
Consumer-grade by mrex · 2012-06-04 03:52 · Score: 4, Interesting

The most bothersome statement to me is right here:
>consumer-grade antivirus products
Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago. Why? Are the billions of dollars a year in claimed corporate losses to computer intrusions insufficient profit motive for someone to bring something better to market? Are we really expected to believe that billion dollar companies like Intel, Microsoft, Google, and Apple simply aren't up to the technical challenge, let alone government agencies like the NSA whose job it is supposed to be to protect the security of America's communications? I guess they're too busy violating that security to care, these days.
The pace of progress on the consumer internet used to be blinding. Now, with the network mostly taken over by large corporations and the governments they are symbiotic with, and the capture of the knowledge and creative spheres by government dollars and NDAs, the internet is becoming just as dysfunctional as the lumbering dinosaurs all-too-willing to ruin anything and hurt anyone necessary to ensure their continued place at the head of the table.
1. Re:Consumer-grade by cyberfunkr · 2012-06-04 05:19 · Score: 3, Insightful
  
  The most bothersome statement to me is right here:
  >consumer-grade antivirus products
  Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago.
  Agreed.
  One of my biggest issue most AV software nowadays is that they claim to be improving, but still use the same methodologies as always. What they are spending their money, time, and resources on is the f'n UI. In the end, I really don't need or want a pretty UI. Don't nag me about updates, just do it. I don't need a graph showing how many files were scanned per hour/day, just scan.I don't need a separate screen showing how well the mail scanner is working versus the web scanner. Just put a small icon in the system tray to say, "Your AV is running, Keep calm and carry on"
  If the software does find something, pop up a simple box saying, here is what was found, where it found it, why it thinks it's bad, and what should it do. Oh, and make sure that the name of virus is copy-able; so that I can paste it into a Google search and see details about what I'm up against.