Antivirus Firms Out of Their League With Stuxnet, Flame 233
Hugh Pickens writes "Mikko Hypponen, Chief Research Officer of software security company F-Secure, writes that when his company heard about Flame, they went digging through their archive for related samples of malware and were surprised to find that they already had samples of Flame, dating back to 2010 and 2011, that they were unaware they possessed. 'What this means is that all of us had missed detecting this malware for two years, or more. That's a spectacular failure for our company, and for the antivirus industry in general.' Why weren't Flame, Stuxnet, and Duqu detected earlier? The answer isn't encouraging for the future of cyberwar. All three were most likely developed by a Western intelligence agency as part of covert operations that weren't meant to be discovered and the fact that the malware evaded detection proves how well the attackers did their job. In the case of Stuxnet and DuQu, they used digitally signed components to make their malware appear to be trustworthy applications and instead of trying to protect their code with custom packers and obfuscation engines — which might have drawn suspicion to them — they hid in plain sight. In the case of Flame, the attackers used SQLite, SSH, SSL and LUA libraries that made the code look more like a business database system than a piece of malware. 'The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets,' writes Hypponen, adding that it's highly likely there are other similar attacks already underway that we haven't detected yet because simply put, attacks like these work. 'Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn't. We were out of our league, in our own game.'"
Helps when you have the OS companies helping (Score:5, Interesting)
I mean seriously does anyone think the OS companies aren't in on this type of operation?
It reminds me of the CIA-Xerox story.
http://dagmar.lunarpages.com/~parasc2/articles/0197/xerox.htm [lunarpages.com]
Re:Helps when you have the OS companies helping (Score:5, Interesting)
Well thats one good theory, but I suppose that if its possible to make a virus like Stuxnet primarily target only computers that control Iranian Uranium enriching centerfuges it would be also possible to write the same virus to *avoid* activating itself anywhere in sight of machines owned by anti-virus corporations.
There's still some level of plausible deniability here, the real question is what to do about the fact that installing anti-virus software in the first place is, while not effective enough, also the limit of most user's capabilty to secure their computers.
Re: (Score:2)
What the system needs is more honeypots monitoring net activity and changes to the system image.
It will be tough considering how big systems are and how difficult it is to simulate all user activity but it should be sufficient to find a lot of drive by trojans and viruses, if not user installed malware.
Re: (Score:2, Interesting)
Re: (Score:2)
Ironic, no, that a virus with a definite source that isn't an AV company is also immune to those same AV companies?
Re:Helps when you have the OS companies helping (Score:5, Interesting)
The tin foil hatters who worry about NSA-mandated back doors should be worrying about how many code signing keys the CIA/FBI/NSA/Pentagon have extracted from Microsoft. Or borrowed from gov't contractors (Boeing/Lockheed/etc).
And how many US based AV companies, have "found something" out there on the Internet and put it into their database. But then failed to act on it at the behest of one of these TLAs.
That may be one reason Kaspersky has blown the whistle on a few things recently. How is the NSA going to call a Russian company and ask them to sit on some information without that making its way into their intelligence services? And used as leverage in future political events?
Re: (Score:2)
"The tin foil hatters who worry about NSA-mandated back doors" shouldn't be running Windows for anything but gaming....
Re: (Score:2)
>Not the OS companies, the AV companies
Not an either/or. All these big companies know who butters their bread, and jump at the chance to work with "007" anyway.
Re:Helps when you have the OS companies helping (Score:4, Insightful)
Sure, the OS companies. Yes.
But not the anti-virus companies, which is what we're talking about here. The anti-virus companies are just script kiddies. Their core competencies are public relations and cookie scaremongering, but that's all. They do not pay people to do original research, that would cut into their profit margins.
If they can detect something, it's only because someone else did the research and posted it on their blog. Once someone has written some manual instructions for detecting the malware and removing it, the anti-virus companies are capable of writing a script that tries to do the same automatically, but even that sometimes stretches the limit of their capabilities since they can't even do that part correctly many of the times.
The real research is done by people like Mark Russinovich [microsoft.com] (and yes, you don't have to trust anything he has written after his company was acquired by Microsoft, you can just take a look at his oldest blog posts first -- which pre-date the acquisition).
Re: (Score:3)
Then, how do you interpret the first line of the specific article you linked to?
Thanks to some tips from a Dutch Profibus expert who responded to our call for help, we’ve connected a critical piece of the puzzle.
That Dutch Profibus expert was Rob Hulsebos [tofinosecurity.com], Industrial Network Expert and Owner of Enode Networks. The guy is an independent consultant, and could use the publicity. Don't you find it odd that Symantec didn't name him as their source?
Granted, he may have been under contract at the time, or he may have had a thousand and one reasons not to be quoted by name directly (liability reasons, or whatever).
In any case, the anti-virus co
Re:Helps when you have the OS companies helping (Score:5, Insightful)
Right down to Microsoft's "mistake" in their Terminal Server certificate assignment process, that "accidentally" allowed those certificates to be used to sign code.
Re: (Score:2)
Re:Helps when you have the OS companies helping (Score:5, Informative)
And only 90 minutes later....
http://news.slashdot.org/story/12/06/04/1211206/microsoft-certificate-was-used-to-sign-flame-malware [slashdot.org]
Re: (Score:3)
yeah, i know, dont feed the trolls
First, antivirus authors used generic tools to... (Score:5, Insightful)
Then they started using custom packers and obfuscaters, making them as hard to reverse engineer as Skype.
But anti-virus software just started detecting the packers and obfuscators, which no legitimate code would have...
So, now they went back to using generic tools and libraries. Full circle!
Re:First, antivirus authors used generic tools to. (Score:5, Interesting)
Interesting article at the Internet Storm Center "Why Flame is Lame"
http://isc.sans.edu/diary.html?storyid=13342#comment [sans.edu]
A: because it breaks the flow of a message (Score:5, Funny)
Re: (Score:2)
Re: (Score:3)
Seen another way: Like all artillery system designers, you study the target, understand the medium thru which the the shell must transverse, and get the payload to the target.
To think that Symantec and AVG and Kaspersky et al are omnipotent is silly. At some point, each of these companies has to avoid false positives because they get the worst PR possible when they make mistakes. There are millions of legitimate apps out there, no matter how well or poorly written. It's a matter of getting to the correct c
Re: (Score:2)
As if biological virus detection works any differently. There's an inherent problem of identifying what is "good" and what is "bad" if you have a complicated system. The virus detection companies have a problem that mirrors the complexity of the biological varieties. Sure you can detect certain "signatures" of potentially bad invaders, but evolutionary pressure will weed those out and then you are leave you the ones that are harder to detect...
Another option seems to be to attempt to identify "self" and
Re: (Score:2)
Re: (Score:2)
Yeah, right. I constantly get warnings about packers (or even keyloggers, because they like hooking it up low level style I guess, and who can blame them) in code that isn't only legitimate, but blows all other code on my computer (including the AV software) out of the water. Things you'd download from scene.org or pouet.net. Sweet, sexy little things.
Re: (Score:2)
You mean like they detect UPX'd apps as a "potential threat"?
Re:First, antivirus authors used generic tools to. (Score:5, Interesting)
but it gets a bit kinky later where they're detecting themselves...
It's not kinky at all. They all do it, most of them nearly every day, but few of them admit it.
Kinky is two of them detecting each other...
P.S. (Score:5, Insightful)
If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.
Re:P.S. (Score:4, Funny)
Not wanting to break NDAs but: You overestimate the intelligence in intelligence...
Re:P.S. (Score:4, Interesting)
If these things really are being written by western intelligence agencies then don't think that Windows is the only platform they can compromise.
Why not? Granted, they have access to all the same attacks the rest of us do, but Windows is the only operating system whose back doors they are in a position to be effectively the sole parties familiar with them. Remember when Microsoft was shown to be guilty of violating its monopoly status? Remember how nothing ever came of that? No, something came of that. Microsoft is now a part of the same group of assholes that controls politics in america. Bill Gates is in like Flynn; he does as he's told and controls vast sums.
You may have noted (here and elsewhere) that the US government told people to use Vista for security. That announcement was met with loud guffaws here on Slashdot, but I presumed then and presume now that it was because it's the operating system they're deepest into. But presumably they've been deep into Windows since NT.
[citation needed] (Score:2)
Or, put another way, "extraordinary claims require extraordinary evidence."
Re: (Score:2)
Yes, Start with posting the details on the MS back doors for a start. And a company being a monopoly is not illegal it is how they take advantage of their monopoly. And one reason MS gained their monopoly position was by people and companies lining up to sale their technology for the money. Nothing wrong with that. At some point a company becomes so big and successful they can't just stop and say we have made enough money so we should just stop building new stuff. The monopoly case against them had just as
Re: (Score:2)
You obviously didn't both to RTFA did you? Did you notice the list of components that were found in Flame? Lessee here: OpenSSH, OpenSSL, Lua, Sqlite...
Hrm.. now, what OS is most likely to have all of these components already installed by default so that an attacker doesn't even have to bother installing them AND so that it will be even harder to detect the malware since those tools are expected to be installed on the system anyway... I KNOW! That system *MUST* be Windows because Microsoft is known to bui
Re: (Score:2)
what? who said anything remotely resembling that?
if you didn't like the post you replied to, try addressing it. instead of just spazzing and making a boo boo. geez.
Re: (Score:3)
Please, it's "Lua", not "LUA" (Score:5, Informative)
http://www.lua.org/about.html [lua.org]
Re: (Score:2)
Heh, I came here to make the same post.
And anyone interested in high-performance computing/scripting should check out LuaJIT [luajit.org]. One of the coolest software projects ever. Imagine a simple, powerful scripting language that runs as fast (or really close) as compiled C. Kick-ass fast built-in FFI interface and super easy to embed.
Re:Please, it's "Lua", not "LUA" (Score:5, Funny)
Ahh yes, Lua... thats tied to Angry Birds isn't it?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
It looks like an acronym to people. While no single characteristic necessarily will cause people to treat a word as an acronym, a combination of characteristics will. It has no obvious meaning, it doesn't look like a word or a name, it's relatively short, and it uses odd combinations of letters.
It is very simple. Virus "protection" isn't (Score:5, Insightful)
You cannot solve the virus problem as it is an impossible situation.
The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.
The proprietary vendors are failing at that. Their fault is in the "not invented here" area as they cannot allow non-proprietary solutions to exist. And when they prevent shared solutions, they leave things overlooked, and then bugs, and then allow for virus entry.
Not everyone can know everything - especially isolationist companies. These do not hire people that worked with other companies very well, as they are afraid of "code contamination". Those that have significant cross licensing powers could hire... but they usually also have "anti-poaching" agreements as well. This results in the lack of cross training in various techniques of programming, and promote internal bad practice... and the development of bad policies on how to program.
Re:It is very simple. Virus "protection" isn't (Score:5, Interesting)
To be fair, giving out your OS encryption keys to "friendly" nation-states for signed malware basically means that your OS, no matter how securely designed, will always have such malware.
Re:It is very simple. Virus "protection" isn't (Score:5, Interesting)
You don't even need to "give" them out. Flame was "signed by Microsoft" by exploiting a vulnerability in Terminal Services Licensing Server.
"Specifically, our Terminal Server Licensing Service, which allowed customers to authorize Remote Desktop services in their enterprise, used that older algorithm and provided certificates with the ability to sign code, thus permitting code to be signed as if it came from Microsoft."
from Microsoft releases Security Advisory 2718704 [technet.com]
Re:It is very simple. Virus "protection" isn't (Score:5, Interesting)
The only thing you can do is NOT MAKE VULNERABILITIES. And actually FIX the ones you find.
I agree with the second part. The first part is probably wishful thinking with the exception of products that are small enough or well funded enough that you can do proofs of their security (such as a couple of the real-time operating systems out there).
I think it's interesting to look at the way that safe vault makers approach this problem. No safe maker ever guarantees their safe to be uncrackable. Rather, they have a standard which basically says "A well qualified attacker with knowledge of the safe's internal workings, but no knowledge of the combination or access to the keys can be expected to breach this safe in X amount of time." They know it's a matter of when, not if. Encryption software people seem to get this as well.
Re:It is very simple. Virus "protection" isn't (Score:5, Insightful)
Technological solutions can improve the situation, but are not a panacea.
Re:It is very simple. Virus "protection" isn't (Score:5, Interesting)
When Microsoft finally got around to making a new TCP stack for Vista they reintroduced all the old bugs that were in the old stack because they proceeded from the same assumptions, forgot everything they learned improving the old stack, and went boldly forth like complete assholes. As a result you could teardrop or LAND Vista RCs. How does this happen? Because they were not using good programming practices.
So it's true, you can't make NO vulnerabilities. But you CAN adopt not just good but proper practices that reduce the number of vulnerabilities you create. This is something Microsoft should try.
Re:It is very simple. Virus "protection" isn't (Score:4, Interesting)
Re: (Score:3)
You should look up Stephanie Forrest's research. She's been doing things like that for the past 20 years. To give you an idea, she has a mid-90's paper called "A Sense of Self for UNIX Processes".
Re: (Score:2)
Re: (Score:2)
A good idea in theory, but in practice, a pain in the butt that most people will not want to deal with.
Re: (Score:2)
I think maybe that blaming either company - either the OS designer or the AV company - is a little unreasonable. The AV companies were out of their depth, as the article says; the OS team are also out of their depth here. But is that really a surprise? Is this really something that it's reasonable to expect them to be able to cope with?
Even if you hire the best locksmiths and builders around a government agency will still be able to get into your house. If you hire the best bodyguards in the world a nation
Maybe it's up to the OS (Score:5, Interesting)
Come on OS's, raise that bar so that AV companies can do the same.
Re: (Score:2)
AV software is picking up the slack for badly designed operating systems.
I know of only one operating system that needs AV. Are you telling me that MacOS, iOS, BSD, OSX, and Linux need AV? because I 've never heard of a virus in the wild ever attacking any of those OSes.
Call a spade a spade: AV software is picking up the slack for Microsoft's badly designed operating systems (and MS shills and fanbois with mod points be damned).
Microsoft needs to get its act together. Microsoft is the culprit here, and is t
Re: (Score:2)
Re: (Score:2)
... which can search the storage on an Unix system looking for Windows viruses.
Re: (Score:2)
I certainly wouldn't feel the need to run AV if I were using a Linux workstation. That said, the comment I responded to made it seem as if a Linux user has so little use for AV that he can't even remember what the acronym stands for. Given malware is still a threat to Windows environments and given Linux machines can be used to propagate these attacks, it's not the case that a Linux admin is free to ignore AV entirely. For instance, if you're in charge of a
Wah... (Score:5, Funny)
Wha. We suck. But, what can you do?
Your subscription has expired. Please upgrade to Our Steaming Pile 2013. Now with more steam. Also, we hid some options to make it more challenging/interesting for you!
NO SHIT (Score:2)
Conspiracy theory (Score:3, Interesting)
With a western government involved, is it much more of a stretch to include assistance from Microsoft and even the AV companies? These companies might feel a sense of duty and might earn a lot of money to boot.
Re: (Score:2)
Re: (Score:2)
A good point, with lots of evidence going for it. But it's not the only possible explanation. Don't decide too quickly. After all, you don't need to decide, until you decide to act, and even then it just needs to be an action that's compatible with your decision about what you believe to have happened.
There's nothing saying that Microsoft, and/or the AntiVirus companies aren't BOTH corrupt and incompetent. And I don't see any evidence against that supposition. Still, I wouldn't want to claim it was pro
Of course... (Score:2)
Anti-virus software companies need to acquire, profile, and create removal code for new threats before they can do much to mitigate it. Now obviously, that's going to take genuine time and effort in cases where they didn't write the virus themselves.
Failed to detect? (Score:2, Redundant)
By the author's own admission, they didn't "fail to detect". They HAD copies of the virus in their reporting database but ignored them. Why are customers reporting samples if the antivirus companies aren't paying any attention? I'd like to hear more on that explanation and not more excuses like "well, it works like a business database".
Re: (Score:3)
They get the worst first and work back.
AV companies outside their element? (Score:5, Informative)
Re:AV companies outside their element? (Score:5, Informative)
Pretty much what Mikko Hypponen is saying in the article:
The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.
Re:AV companies outside their element? (Score:5, Insightful)
Good computing habits preclude the need for AV software. Just my two cents.
And how exactly would you know if mozilla.com has been compromised or if someone is running a MITM on you? Or if you're going to drag up Linux, how sure are you that not a single signing key to any package on your system is compromised? Good computing habits are good enough for my single consumer desktop, but they're not exactly hardened servers with tripwires, traffic policies, alerts and intense traffic monitoring. If they send a "real" virus directed towards me, I wouldn't bet too much on my good habits. It's all relative to the threat level, just like my apartment is fairly safe against common burglars but it's not exactly a jeweler's shop with millions in value nor it is a military bunker.
As for AV software, yes I run it as a second opinion. Personally I don't think I'm too smart to make a blunder, or the odd combination of a seeming trusted download and an old virus signature the AV will detect. Besides, how do you know your own opinion is correct? It's not like they announce themselves, it could be sending out your credit card into and be a proxy to everything without telling you. The silent ones are far more dangerous than the popup infestations and ransomware.
Re: (Score:3)
it could be sending out your credit card into and be a proxy to everything without telling you
Don't use your credit card for online purchases, or in my case, setup a secondary bank backed CC that has limited access to your primary funds. Move funding into the secondary as needed. Even if they get the CC number I use on the Internet, at best they are leaving with $11.38 at the current moment.
or if someone is running a MITM on you
Long story short, there are connections where I care about MITM and those that I don't care about them. The ones where I don't care are because even if there was a MITM attack, they've gain absolutely nothin
Re: (Score:2)
Or if you're going to drag up Linux, how sure are you that not a single signing key to any package on your system is compromised?
Unlike Windows, there are only a tiny number of such keys. You can't exploit them the same way these guys apparently did by creating a random key signed by another random key which happened to be flagged as a CA key, because it wouldn't be accepted when installing the package.
Yes, it's possible that someone has hacked into Red Hat and Ubuntu and stolen a signing key, but if that's the case then we have much bigger problems to worry about.
Re: (Score:2)
Unlike Windows, there are only a tiny number of such keys. You can't exploit them the same way these guys apparently did by creating a random key signed by another random key which happened to be flagged as a CA key, because it wouldn't be accepted when installing the package.
The key that verifies that it comes from the $distro repository, yes. But there are many thousands of developers and packagers that could be compromised so you get a signed trojan horse, it's not like the distro does code review. Like for example OpenSSL that was badly broken for two years in all Debian based distros and that was pure ignorance, public and obvious. How hard to you think it would be to discover a malicious and covert custom exploit targeting only a few machines? It could have gone unnoticed
Re: (Score:2)
Running without an AV works ONLY if
a) You are intelligent enough to avoid viruses
AND
b) Anyone you frequently communicate with have no viruses
AND
c) Any sites you frequent have not been compromised.
That third one is what got me. A webcomic I read - quite a popular one, not at all a shady, untrustworthy site - got exploited, and was used to serve out malware. I happened to read it during the few hours it was compromised. The malware got past Adblock. Everything was fully up-to-date, from Firefox to Java to Win
Re: (Score:2)
I stopped using AV software when it failed to protect me from XPC. Who would have thought that a large, well respected company like Sony would deliberately infect their paying customers' computers? The irony is, if my daughter had just downloaded the songs instead of buying it from the record store she worked at, I'd not have gotten infected.
If mozilla.com got infected, your AV software isn't going to help any more than mine protected me against XCP.
Re: (Score:2)
I mean, a story about how the CIA can get past your deadbolt and home alarm system wouldn't be shocking, would it? News that the US army can outgun the security guard at your job... no shit.
Of course, the problem is that it DOESN'T require a multi-billion budget to
A better solution: (Score:5, Funny)
Release armies of flying cats.
Because if you're going to ignore what's in your database for two years, well, flying cats are better.
https://www.youtube.com/watch?feature=player_embedded&v=-S4DZ_aWNuU# [youtube.com]!
--
BMO
What about the others? (Smart Fortress 2012) (Score:4, Interesting)
My Dad's work PC got infected with "Smart Fortress 2012" mid-May. My mistake, I wasn't taking care of Flash and Acrobat reader. But an otherwise up-to-date XP, with an up-to-date Norton antivirus installed, got infected through a webpage. And even though the account was not an administrator account, Smart Fortress 2012 not only disabled Norton antivirus but rendered it inoperable - it had to be reinstalled (through the Administrator account).
Lesson learned. Don't trust much Norton, don't trust much anything else and tighten up as much as possible.
Antivirus is NO defense against targeted attacks (Score:2)
Well, DUH.
AV kits can only protect against attacks that are known. They may be able to detect new variants of attacks, so once a certain botnet type is known they may well be able to find zero-day developments if their heuristics are good (not a trivial task, but some have mighty good detection rates against unknown variants), but how are they supposed to detect what is simply not known to be a threat?
And likewise they cannot protect against attacks that target YOUR and only YOUR company. Where'd they get s
Nothing new here (Score:5, Insightful)
Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel. Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians. The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry, while any armored military vehicle would shrug off an attack using weapons available to civilians. There are many other analogues involving surveillance technologies, etc. that show the dichotomy that has always existed between the military/intelligence communities and the civilian world.
But so what? Of course their tools are more sophisticated...they should be. The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.
Re: (Score:2, Funny)
Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.
You should c'mon down and visit us here in Texas.
Re:Nothing new here (Score:5, Interesting)
Civilian-grade bullet-proof vests won't stop bullets fired from the primary weapons carried by military personnel.
ballocks [bulletproofme.com]
Conversely, military-grade body armor will stop rounds fired by 99% of the weapons held by civilians.
Oddly enough, you can have all the same typical service issue ammo that the military uses.
The most heavily armored of civilian vehicles (and I do mean armored, as in cars that have been retrofitted, or the BMW models that can be bought pre-armored) would not stand up to military weaponry
...though neither do most military vehicles...
while any armored military vehicle would shrug off an attack using weapons available to civilians
Except for IEDs, for which we are having to redesign our entire fleet basically.
The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.
Things have been going very, very badly for a long time. Companies like Coca-Cola and Nestle have their own military forces in third world countries. Corporatists have utterly taken over the majority of world governments. So while I agree with your premise, I don't agree with your conclusion. Civilians already have that capacity, and they always have, and things are already going that way.
Re: (Score:2)
> Except for IEDs
Exactly. Idiot goat farmers or whatever can take out the latest US vehicles again and again using cheap, readily available ingredients with innocous legal uses plus a digital watch or walkie talkie. Such a shame the whole miliary/industrial complex is based on attacking Russia or whatever.
Remind me again, which month do I have to work until before I start earning money for me and not just the taxman?
Re: (Score:2)
Question: What are most IEDs made from?
Answer: Artillery shells.
Question: Can you buy artillery shells at Wal-mart? How about Home Depot? Radio Shack?
Re: (Score:2)
Disingenious. You know he's talking about MBTs, not Humvees which are for delivering supplies...
It doesn't take all that much to take out treads. It doesn't take much to take out Humvees either, which is why their days in situations in which combat is expect are numbered. Also, pork. But I am in favor of seeing what soldiers must be in the field (for whatever reason) be better-protected.
Re: (Score:2)
The day when civilians have the same capability to do harm that the military and intelligence communities do, things will go very, very badly.
Right, because if they did, then civilians might rebel against an unjust, unpopular, non-representative government.
Oh, wait. That's actually a founding principle of the USA: the government should be afraid of the people, not the other way around. The only way to ensure that is to make sure the people have the ability to overthrow the government and it's military forces, should the need arise.
Or, you've just seen Red Dawn too many times. (Score:2)
How are you and the rest of the Wolverines going to do with small arms against drone warfare and nerve gas?
Re: (Score:3)
"...bullets fired from the primary weapons carried by military personnel..."
There is no appreciable difference between the penetrating power of a projectile fired from a military rifle and one fired from the civilian equivalent of the same weapon. In fact, many of the civilian model AR-15s are "Mil-Spec" and a lot of the bulk ammo available is military surplus. The difference is only in rate of fire. Military versions can selectively fire in 3 round burst(or full auto on older versions).
"military-grade b
Duh. (Score:2)
The truth is, consumer-grade antivirus products can't protect against targeted malware created by well-resourced nation-states with bulging budgets.
You don't say.
Antivirus is a poor solution anyway (Score:5, Insightful)
Once you are hit, it is already too late.
What we as sysadmins and users should focus on instead is prevention.
Unfortunately, prevention relies mostly on end user education. They will always download that cool image, or play that game, forward that e-card, etc. You can't cure user stupidity with technology. The car analogy would be, well, eliminate cars and make everyone take the train.
"I Don't Know It, So the Government is to Blame!" (Score:2)
Out of their league (Score:3, Insightful)
Of course they are out of their league with stuxnet and flame. The AV companies are used to fighting teenage hackers and Russian mobsters, they aren't prepared to fight the two of the highest funded militaries in the world (USA and Israel). It's hard to beat the enemy when they outnumber and "outgun" you by a factor of 100,000
Re: (Score:3)
Surprisingly though, Stuxnet was a good demonstration of how incompetent hackers will write their malware. There is quite a bit of mistakes, errors and incompetence in it. Of course, the Iranian defenders were even more incompetent, whit no independent safety systems on their centrifuges that would have prevented the damage. Really pathetic on both sides.
This basically shows that you can get past current AV software with something that is not very good in any regard. It also shows that the AV approach is fu
Not a surprise (Score:3)
From a certain attacker competence and resource level upwards, a leaky bucket like Windows cannot be fixed anymore. It takes competent system administration on a solid platform and a minimal attack surface. It also takes quality engineering with security in mind on everything that is reachable over the network. Most current software is so pathetically insecure (and yes, that includes quite a bit of FOSS software), that no amount of add-ons will ever make it secure.
On the other hand, software that was done with sound secure software engineering practices, competent personnel and adequate resources is very hard to attack and will quite often be impossible to attack. The saying that everything can be attacked is just a lame excuse for insecure software. It has no relation to what can actually be done.
What the article also shows is that the reactive, try-to-patch-thousands-of-tiny-holes-on-insecure-platforms-by-external-software that the AV companies are selling is fundamentally limited. This is not a surprise to any real security expert.
Right... (Score:3)
Consumer-grade (Score:5, Interesting)
The most bothersome statement to me is right here:
>consumer-grade antivirus products
Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago. Why? Are the billions of dollars a year in claimed corporate losses to computer intrusions insufficient profit motive for someone to bring something better to market? Are we really expected to believe that billion dollar companies like Intel, Microsoft, Google, and Apple simply aren't up to the technical challenge, let alone government agencies like the NSA whose job it is supposed to be to protect the security of America's communications? I guess they're too busy violating that security to care, these days.
The pace of progress on the consumer internet used to be blinding. Now, with the network mostly taken over by large corporations and the governments they are symbiotic with, and the capture of the knowledge and creative spheres by government dollars and NDAs, the internet is becoming just as dysfunctional as the lumbering dinosaurs all-too-willing to ruin anything and hurt anyone necessary to ensure their continued place at the head of the table.
Re:Consumer-grade (Score:4, Insightful)
The most bothersome statement to me is right here:
>consumer-grade antivirus products
Look, we all know that more advanced solutions are out there, antivirus techniques that rely on advanced chipset features and even custom hardware modules to protect systems. Yet we're still stuck using the same old known-signature-scanning, high-level-OS-API-using *shit* that wasn't up to the job a decade ago.
Agreed.
One of my biggest issue most AV software nowadays is that they claim to be improving, but still use the same methodologies as always. What they are spending their money, time, and resources on is the f'n UI. In the end, I really don't need or want a pretty UI. Don't nag me about updates, just do it. I don't need a graph showing how many files were scanned per hour/day, just scan.I don't need a separate screen showing how well the mail scanner is working versus the web scanner. Just put a small icon in the system tray to say, "Your AV is running, Keep calm and carry on"
If the software does find something, pop up a simple box saying, here is what was found, where it found it, why it thinks it's bad, and what should it do. Oh, and make sure that the name of virus is copy-able; so that I can paste it into a Google search and see details about what I'm up against.
Re: (Score:2)
There was a recent /. article on how the military found and rmeoved a virus that got into the control consoles for some dones: "host based scanning". Anyone can do this - simply scan the suspect drive by mounting it in a machine known to be clean. The most c;lever rootkit in the world has to be in order to hide itself. Want to do that in realtime? Do everything in a VM and scan it from the host - problem solved.
If the TPM hadn't been perverted into some anti-consumer DRM thing, we'd all have this alrea
MS revokes certificates (Score:2)
MS has issued a security update KB2701704 [microsoft.com] that revokes some certificates, presumably the ones used in these attacks.
Microsoft Malicious Software Removal Tool FAIL (Score:2)
"Flame" isn't on the list of malware detected by the Microsoft Malicious Software Removal Tool. [microsoft.com] Why not?
Re: (Score:2)
They do not flag such files as "malware". They flag them as "heuristics found suspicious files that have properties often used in malware".
If you actually read the text that your anti-virus software outputs on your screen, this becomes very obvious. Unfortunately most people, apparently including yourself, do not read these messages and instead assume your file has been filed as malware when you're looking as a false positive hit from heuristics engine warning your about suspicious properties of your file.
A
Re: (Score:2)
Fyi, I do not reply as AC unless I have serious reason for it. Being asked for a clarification is not one of these things. As you can see from my posting history, I often argue on some pretty hot and difficult topics all under my own handle. Thanks for not assuming things and not getting some random flamer get his kicks.
On your point, you clearly state that the reason for the "false positive" was "certain techniques I used in the file, for good reasons". That's not malware detection hit - that's heuristics
Re: (Score:3)
who is that 'U' who keeps failing (according to you) ? there is no user named 'U' on slashdot, so who is it ?
Whoever replies to apk fails. I've done it. Don't do it.