Forgot your password?
typodupeerror

McAfee Blames Open Source for Botnets 223

Posted by timothy
from the how-conveeeeenient dept.
v3xt0r writes "It seems that 'the Open Source Development Model' is to be blamed for the recent increase in botnet development. 'We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development,' the spokesman for McAfee says. Why not just blame the IRC Protocol? Or simply admit that Proprietary vendors cannot keep pace with the Open Source Model?"
This discussion has been archived. No new comments can be posted.

McAfee Blames Open Source for Botnets

Comments Filter:
  • What? (Score:5, Insightful)

    by NiteMair (309303) on Monday July 17, 2006 @12:59PM (#15732237)
    So, here is an article simply claiming that some "malicious developers" have found a way to collaborate using open-source tools...

    Wow, I've seen a lot of commercial vendors doing that in the recent years also - maybe they're all suspect.
    • Re:What? (Score:2, Insightful)

      **Waiting for the closed source companies contribute more to spyware article**
    • Re:What? (Score:4, Interesting)

      by deathy_epl+ccs (896747) on Monday July 17, 2006 @01:15PM (#15732353)

      Certain vendors of anti-virus software appear to believe so. I wrote an exe-packer primarly so I could pack dotnet executables and distributed it for free. It got used by some malware author out there, and this anti-virus vendor decided then that anything packed with my exe-packer must be a virus.

      I swear, it doesn't pay to share anything any more. ;-)

    • Re:What? (Score:5, Insightful)

      by bwt (68845) on Monday July 17, 2006 @01:25PM (#15732448) Homepage
      Exactly. The open source model is a higher productivity model, so the black hats use it, just like everybody else that produces a lot.

      And of course, we have to suffer another dig at the full disclosure doctrine. But the part they left out was how they plan to get the black hats not to share information with each other. Full disclosure just assures that the white hats all have the same information and that the battle is fought on pure technology lines and not on who is better at hiding things (a battle the good guys would lose).
      • Exactly. The open source model is a higher productivity model, so the black hats use it, just like everybody else that produces a lot.

        A higher productivity model? Nonsense. It is no more high productivity than any other development model. Productivity depends on the development team, and their movation and interest, and the openness or otherwise of the project has little or no bearing on this. Just look at the number of open source projects stuck in permanent beta because no-one is interested in doing t
    • by rs79 (71822) <hostmaster@open-rsc.org> on Monday July 17, 2006 @01:27PM (#15732470) Homepage
      I blame open source for the development of the interent.

    • No, you don't understand.

      If it's proprietary and closed source malicious software, it's "market-enabling software". It's only "bad" if those open source evildoers write it.
  • Load of BS (Score:5, Funny)

    by Wieland (830777) on Monday July 17, 2006 @01:01PM (#15732239) Homepage
    From TFA:
    The current generation of bot software has grown to the point where open-source software development tools make a natural fit. With hundreds of source files now being managed, developers of the Agobot family of malware, for example, are using the open-source CVS (Concurrent Versions System) software to manage their project.
    If that's the best example they can come up with... Geezz, malware writers probably eat cereal, too. Why not blame Kellogg's?
  • by eldavojohn (898314) * <eldavojohn AT gmail DOT com> on Monday July 17, 2006 @01:02PM (#15732240) Journal
    'We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development,' the spokesman for McAfee says.
    Yeah, you could probably blame a few people who altered a little bit of a virus/bot and re-released it to the public on the full disclosure model.

    But what model would you blame for the hundreds of PC viruses that devestated home and corporate computers in the 90's up to today? I think the exploits they relied upon were simple coding flaws and insecure type checking or buffer overflows that wer simply poor coding kept as a secret.

    So, in light of what causes the malware, would I rather the code be fully disclosed or instead guess that there's probably no major exploit possible? I'd probably go with the former considering the sheer number of viruses based on the latter and the fact that it's the exploits based on proprietary code that often do the most severe damage to society.

    I would like to ask McAfee what they would think if a competitor found a virus and figured out how to fix it but couldn't tell McAfee that information because it would be considered disclosure. That would be the real irony here. Sites that host viruses and describe/publish them are often very useful sources for people looking to rid them from their computers or even how to avoid exploits in the future.

    This article is entitled "Hackers Learn from Open Source" but they only learn as much as the researchers and patchers do. I would rather the community be progressing towards solid impenetrable code than have guarded secrets that keep everyone under a thin veil of security. Because if those secrets are ever discovered by the wrong people, we will not know about them and we'll essentially be caught with our pants down. I'd rather have every programmer know the pitfalls of coding than to have thousands of applications deployed world wide all waiting for one hacker to stumble upon a secret.

    You really have to question McAfee's motives here in their Sage magazine ... are they doing this with the customer in mind or are they attempting to place themselves in the leader seat of virus protection with even more exploits running rampant on our machines?
    • by Moraelin (679338) on Monday July 17, 2006 @01:17PM (#15732387) Journal
      RTFA, seriously. That disclosure that they mention is _not_ the disclosure of OS code. If you RTFA, at that point they explain very well what they mean by "full disclosure" and it has _nothing_ to do with OSS any more. Their "full disclosure" is about researchers disclosing a vulnerability, together with ample instructions and proof of concept code of how it can be exploited. It has _nothing_ to do with Linux vs Windows, Closed Source vs F/OSS, etc. It's about disclosing vulnerabilities.

      Basically what McAffee says is, "I wish researchers stopped telling everyone everything about this and that buffer overflow. Telling people everything about a bug only helps the evil hackers use it in a virus!!!111one1eleventeen" Not an exact quote, but that's the general idea they're peddling there.

      Which is, in the nutshell, just the old "security by obscurity" argument. Which has already been debated to hell and back and is known to not work that way. And, frankly, it's weird to see McAffee preaching that attitude, because the anti-virus makers should know the best that it never worked that way.
      • Maybe they (the anti-virus vendors) are just being the front-man for the software industry. Maybe it's really the other software vendors who don't want full disclosure because they don't want people to find out that even after all these years of promoting secure computing, and paying for all those upgrades, things are still not secure.

        Then on the otherhand, maybe it really is just the anti-virus vendors. Very often, with full disclosure, the researchers also say what can be done to protect against the exp
      • Perhaps what McAfee is really afraid of is the open dialog and response of something like ClamAV?

        If enough developers 'pool' into working on it, and an open dialog of faults and vulnerabilities continues, could they find themselves out of a job from an Open Source solution?

        (especially as they are about to be challenged by MS Defender, which could also benefit from open dialoge to augment a shallower background in the field?)
      • So consider a development of condos that turn out to have a real problem with their security system. Well, I mean more than the gaping, massive problems that every home has (on a computer scale homes would be luck to rate as good as unpatched Windows 2000). So I notify the developers, they drag their feat since they've already sold the homes and don't care. Well clearly I need to inform the owners. But how to go about it? Do I:

        1) Post or send a notice in relivant places that lets people know that they are v
        • I don't see why computers should be any different. Yes I want disclosure about security problems, espically if teh company is slow in getting a patch out. However disclose the problem, what it relates to, what the potential attack vectors, and what if anythign can be done to fix it. Don't go and post code that not only shows people how the exploit works but allows them to just compile and do it. Do that and in all likelyhood my system will be 0wned before I ever read the notice and try to do anything about
        • Why should I tell theives how to work the exploit? Who is that good for? Isn't it better to disclose what's necessary to let people know what is wrong and what to do about it, but not provide a DIY guide for the malicious?

          What if the theif lives in one of the condo's... In real life (most)people dont walk around with signs saying I am a computer hacker/professional burgular/rapist.

  • ...it was the conspiracy to create insecure operating systems.
  • by Rob T Firefly (844560) on Monday July 17, 2006 @01:02PM (#15732244) Homepage Journal
    The actual blame rests on Charles Babbage, and that "computer" idea of his. But to be fair, he might never have done that if it hadn't been for those damned ancient Greeks with their abacus...
  • Say there is an vulnerability, only known to black hats which is being exploited. Someone finds it, reports it to the vendor. The vendor sits on it for months while a massive botnet spams the hell out of us using it.

    Isn't it better to release info so people can do something about it? Network admins can use it to help block the attacks, or disable the vulnerable software. Users can stop using it. And people can ever make their own patches, or use the shared knowledge to look for similar flaws in other software.

    We have seen this happen. Can anyone provide a good alternative, because McAfee certainly can't?
    • You can disclose that there is a venurability and that it is with a certian service without disclosing how to exploit it. Now while that does perk up the black hats and get them looking for it, there's lag time. Lets people realise there is a problem and take some steps. I'd say it's better than providing all the tools you need to exploit it from the get go.

      As a sys admin, knowing the specifics does me no good. I don't even look at the code, i'm not a programmer. The relivant information to me is "Service X
  • by InfiniteWisdom (530090) on Monday July 17, 2006 @01:05PM (#15732260) Homepage
    Evil hackers learn programming techniques in schools and colleges!
    • McAfee is implying that their research indicates that OSS has done a lot of damage. In summary, OSS allows irresponsible and careless (or payed) angry adolescents to develop quicker and easier than going to school. Malcontents have access to tools that were only available to software development houses that sold commercial products, previously. This is why malware is so much more advanced.

      I don't know if that conclusion is sound, but there is no evidence to the contrary and malware certainly has become stag
    • I blame the parents. If it wasn't for them, the evil hackers would've never existed on the first place!
  • Well... (Score:4, Insightful)

    by voice_of_all_reason (926702) on Monday July 17, 2006 @01:06PM (#15732266)
    Why not just blame the IRC Protocol?

    Because McAfee has an unterior motive and wants to discredit the competition.

    With there be anything else?
  • I've done some research on this myself and I've determined that the primary cause of the spread of malware is the internet. Updates to follow.


    Actually, I see this as a great example of software natural selection. The OSS is killing off the weaker software.

  • by Moraelin (679338) on Monday July 17, 2006 @01:07PM (#15732270) Journal
    Basically it seems to me that McAffee _isn't_ complaining about OSS, and explicitly says they don't. There are two _very_ distinct and unrelated parts of the article:

    1. The open source part. Which doesn't contain any kind of anti-OSS slant. It just says that people now have a lot of F/OSS tools to manage their files and whatnot.

    2. The part about full disclosure. Where they basically whine that they'd like to have what we all call "security by obscurity." Basically McAffee would like a world where researchers keep a lot more stuff secret, because supposedly being public about that helps evil hackers. Which is as stupid as it gets, yes, but it also has nothing to do with OSS at this point.

    So why the fanboy slant in the summary?
    • I wondered this as well... It seemed very strange until I put 2 and 2 together.

      What if open source virus checkers are doing better in the market place than McAfee suggests? Open source virus checkers can only compete if there is full disclosure. Or in other words, if McAfee doesn't get advanced notice, then they lose any possible competative advantage.

      So it seems to be a FUD attack aimed at shutting down their OSS competition. I'm actually rather surprised because I didn't realize the OSS alternatives w
      • Ah, well, it's McAfee, so being "better" than that doesn't really say much. I'm sure there are some good OSS AV programs out there, but comparing them to McAfee really doesn't say much. It's sorta like saying that they're better than a kick in the crotch.

        Honestly, the last time I used that crap "security" suite of theirs, it was far worse than your average virus.

        Among _many_ samples that proved massive cluelessness was the fact that as soon as it "updated" itself, it actually couldn't cope with being instal
    • So why the fanboy slant in the summary?

      Well, I can guess...

      Fanboy read the title.

      Fanboy _may_ have skimmed the article.

      Fanboy didn't understand the distinction.

      Fanboy rapidly submitted it! (I'm gonna be on /.!!!!!!)

      Editor read the title.

      Editor _may_ have skimmed the article.

      Editor didn't understand the distinction.

      Editor rapidly published it! (I'm gonna be on /.!!!!!!)
    • So why the fanboy slant in the summary?

      You must be new here...

    • by dzfoo (772245) on Monday July 17, 2006 @01:35PM (#15732546)
      They *are* complaining. Its called "planting the seed of distrust":

      From the article:
      "Over the last year and a half, we've noticed how bot development in particular has latched on to open-source tools and the open-source development model,"

      Further down:
      Marcus said his company is drawing attention to the open-source trend to educate users, and not as an attempt to discredit open-source alternatives to its own proprietary software products. "We think [open-source antivirus products] are fine. They've never been something that was really in the same class as ours, but we've always been big supporters of open-source antivirus," he said.

      In other words, McAfee is saying "Bot writers are using Open Source tools to develop, maintain, collaborate on, and distribute malware. We're just saying, you know. Not that we're accusing them of anything; we're just saying."

      Then later in the article they start bad-mouthing Full Disclosure. That's, as you say, a separate topic.

          -dZ.
      • I don't know, someone would IMHO need to be completely clueless for such an association to really result in distrust.

        I mean, seriously. So some virus writer uses CVS. In what way does that say anything bad about CVS? It's like saying that gangsters use(d) cars for their drive-by shootings. Does that mean we should start distrusting cars or car manufacturers? And some are stereotyped as beating people up with baseball bats and/or throwing people off piers with cement shoes. Does that mean we should start dis
    • There are two _very_ distinct and unrelated parts of the article:

      I noticed the exact same thing.

      The open source part. Which doesn't contain any kind of anti-OSS slant. It just says that people now have a lot of F/OSS tools to manage their files and whatnot.

      I'm not even sure what the point of this is other than FUD for the uninformed. So virus writers are forming communities and working together... it has nothing to do with OSS. As virus writers they would be more likely to pirate commercial software if th
  • Obviously (Score:2, Funny)

    by eclectro (227083)

    It's the "Brotherhood of Linux" that prevents malware being written for Linux computers and why there are no Linux zombie botnets.
    • Funny that, but with the number of ssh scanning and php/exec() style worms, that have jumped onto linux machines and sent spam, etc I've cleaned up over the past few years I'd have to disagree with you there!
  • Reportedly, evil malware authors have been discovered using Microsoft Visual Studio! That is right, they're using Microsoft development tools to create their evil wares. Where are the crowds with pitchforks?! Time to hang Redmond out to dry.

    But seriously folks, malware authors using CVS? I never thought they'd think of using arguably the most popular version control system in the world. Besides, that means they are adopting the open source development model how? Plenty of companies use CVS internally,
  • LOL (Score:2, Funny)

    by truthsearch (249536)
    We're not taking aim at the open-source movement, but we hate the fact you like to be open and honest. How dare you tell people what's really going on! We're the only ones with the authority to do that!

    Idiots.
  • When I look for someone to blame for Botnets, I tend to lay it on Botnet operators. I guess McAfee has a different way of looking at blame.

    Tom Caudron
    http://tom.digitalelite.com/ [digitalelite.com]
  • Open Source bugs will be revealed faster and closed faster PLUS a developer's code will be viewable by anyone (including those pesky hackers) so one might argue that the open source movement will (does?) cause people to be a little more careful in their code and not do things like say "oh, this pointer can be null here, but oh well, no one will know about it". We might see a flurry of open source security holes at first, but I bet they are closed and stopped quickyly, unlike the commercial counterparts whi
  • by Maru Dubshinki (804451) <marudubshinki&gmail,com> on Monday July 17, 2006 @01:08PM (#15732283) Homepage
    Amusingly, you could read this article as an endorsement of open source software and methods- as in, "Open source methods and tools are so awesome that crackers and blackhats have switched to using them and now run rings around the antivirus corporations who don't."
  • by mormop (415983) on Monday July 17, 2006 @01:11PM (#15732306)
    Car theft is the fault of metal-workers. After all, if powered centre-punches weren't available due to metal workers using them to mark drilling spots on metal then car thieves wouldn't use them to break car windows.

    Forget the fact that a powered centre punch is just an inanimate tool and that it's purely the malicious intent of car thieves that means they're used for illegal reasons, someone must be to blame. So let's lynch metal-workers for causing car theft!!

    • Exactly, open source is just a tool. Like guns. Guns don't kill people, dangerous minorities do (it's from Family Guy). Tools may make it easier, put it takes people with malicious intent to do harm (3 people in my town got stabbed last year... I blame knives... sitting around all pointy like that, it's a wonder we're not ALL dead!).
  • by Lumpy (12016) on Monday July 17, 2006 @01:11PM (#15732318) Homepage
    My headline is as credible as theirs. If they want to start flinging mud we can fling it back. Outsourcing virus writers to help perpetuate sales of Anti Virus software is good for business has a large return on investment and a practical way of making sure that the next incremental release is purchased by all your customers.

    • I'm confused - when you refer to "their" headline, do you mean the one from the original article, which was written by PCAdvisor, or the one here, which was written by v3xt0r (assuming timothy didn't "edit" it)?

      Perhaps you want to make sure you're aiming in the right direction, before flinging too much mud.
  • by 8127972 (73495) on Monday July 17, 2006 @01:12PM (#15732326)
    ..... who said that that OSX is the next Windows:

    http://download.nai.com/products/mcafee-avert/Whit ePapers/NewAppleofMalwaresEye.pdf [nai.com]

    So take anything they say with a grain of salt.
  • by b0s0z0ku (752509) on Monday July 17, 2006 @01:13PM (#15732340)
    "We think [open-source antivirus products] are fine. They've never been something that was really in the same class as ours, but we've always been big supporters of open-source antivirus," he said.

    "Same class?" Meaning as slow to start, buggy, and bloated as McAfee products? Open-source developers should by thanking that guy for the compliment.

    -b,

  • by algae (2196) on Monday July 17, 2006 @01:14PM (#15732346)

    Given that the summary itself says that this is not about the open-source development model, I've got to conclude that the headline is a troll. You can apply the full-disclosure model of security notification to any software, open or closed.

    This is about whether the finders of security vulnerabilities give the vendor a grace period to fix the problem before disclosing the vulnerability to the general public. It has nothing to do with open source.

    • Yes, the headline is a troll. The headline of TFA, that is: "Hackers learn from open source"...

      Actually, that's not too bad. But I don't think the /. headline is that much worse. And they are blaming full disclosure, which is a kind of open source.
  • What he said. (Score:2, Insightful)

    by CCFreak2K (930973)
    "You know what really grinds my gears?..."

    Linux is evil, Windows is good, proprietary blah blah blah. The biggest shock to me is that anyone has the balls to point to open source and say "YOUR development model is responsible for this mess," especially considering the way Windows ships as default (make all initial users members of Administrators). I'm still reeling from hearing McAfee (or someone officially affiliated) say something to the effect of "Your open code and development is killing us!"

    You have
  • From the experts... (Score:5, Interesting)

    by helmutvs (912204) on Monday July 17, 2006 @01:15PM (#15732368)
    Who brought you an "update" the other month that categorized files from "IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT" as viruses and promptly deleted them. Here's the story. [slashdot.org]
  • ...curing Viruses? Most viruses are the most minor change in code yet that is all it takes for the new version of TRJ_Worse_Virus_ever.BA3 and then BA4, and BA5, to infect the next PC. If they did there job as good as they could do it they would put themselves out of business.

    I know 800 slashdotters are going to mod me troll and describe how wrong I am but I can't fully believe it.

    Course I'm into JFK and 9-11 conspiracies as well....
    • I hereby cordially invite you to write the better AV tool.

      When you know an algorithm that flawlessly discriminates between "good" and "bad" code, copyright it today. You'll be a very rich man, if you sell it, or an icon of OSS development if you hand it to the OS community.

      But at least you didn't claim that AV companies create them themselves, it's at least something I gotta give you.
      • If beating viruses was something you could do with a store-bought product like a virus scanner then your arguement would be valid.

        Security isn't something you can make - it's something you do. McAfee's magic potion just doesn't work. And it's not because the magic potion is bad (after all, this is a magic potion that's been developed over many years and has taken many skilled hackers to create). It's because magic potions don't work.

        Take for example one fairly secure operating system - OpenBSD.
        1. What
        • I concur. Security is not a product, it's a process. Unfortunately, we let all the clueless people in who don't know the first thing about security. What should we do? Lock them out? Throw them out of the 'net 'til they learn how to keep their crate secure? I'm the first to sign that petition, but you'll have a very hard time getting it passed past the counter pressure of the industry trying to sell the 'net to them, since they are by definition a more interesting target group than people who know their too
  • TFA defines Full Disclosure for us, in case we were confused: "However, Marcus did take issue with security researchers who distribute samples of malicious software, a practice known as full disclosure."

    No. Full disclosure is just that: disclosure. Distributing samples of malicious software is at best a proof of concept, but usually just irresponsible and/or malicious distribution of same.

    Given this piece of intellectual dishonesty, I think that any doubt that McAfee was on the up-and-up with this article c
  • Since the OSS model or full disclosure model as the article calls it is widely available to the anti-virus companies (ie commercial programmers) and the malware programmer simultaneously and the malware programmer beats the commercial programmer out the door, does that mean that the OSS programmer is a better programmer?

    Put a different way, and not to simplify it too much, but the anti-virus programmer needs to write a patch to detect a piece of code which has been handed to him/her. The malware has to wri
  • Hackers are using techniques popularised by developers of open-source software like Linux to improve their malicious code, a researcher at McAfee has said.

    Nowhere is this more apparent than within the growing families of 'bot' software, which allow hackers to remotely control infected computers. Unlike viruses of the past, bots tend to be written by a group of authors, who often collaborate by using the same tools and techniques as open-source developers, said Dave Marcus, security research and communicatio

  • by Dcnjoe60 (682885) on Monday July 17, 2006 @01:21PM (#15732420)
    People shouldn't blame McAfee. They're just really stressed out. You'd be too, if you had to make Windows a secure OS.
    • While I do write programs and utilities as part of my job (and I like tinkering with it anyways), I'm not a coder by trade. So, with that disclaimer out of the way, I'll render my admittedly uninformed opinion.

      I suspect that, all else being equal, it's probably easier to find exploitable flaws in a system and write malicious code to take advantage of it as opposed to trying to defend against such attacks. Not only is it generally easier to destroy than to create, but the attacker need only find a single f
  • It really blows my mind that a corral cache link isn't automatically added to submitted stories... just a little (cc) afterwards with the cc being a link would suffice.

    http://www.pcadvisor.co.uk.nyud.net:8090/news/inde x.cfm?newsid=6601 [nyud.net]
  • hmmm... let's put things in perspective here between companies and people.

    As far as I can see it, FOSS supports people, and statements like this only drive home the point that companies are driven by wealth to the exclusion and elimination of health for people.

    Companies were an exception when the King of England first granted them as favors to a select few. It allowed exceptional rights, and those rights have only grown over time. It has now come to the point where pretty much any organized human behavior
  • by Opportunist (166417) on Monday July 17, 2006 @01:37PM (#15732568)
    Could be that they have to get that air of being against closed source off them after they found Excel to be a trojan (ok... some might claim it's not really a false positive, but still... a few companies didn't enjoy the idea of having their Excel removed...).

    But quite seriously, could anyone please explain just HOW a malware author would benefit from open source? Because of the tools? Seriously, if you're writing software that's considered "illegal" in most places of this planet, would you care about licensing? Whether the software is free (as in beer and as in software) is pointless for him. If it's not free, he'll copy it illegaly.

    Because they could learn how to write malware? The "real" malware projects are not open source, actually anything BUT it. First of all, major exploits are not shared, they're sold. Plain and simple. Malware is a business, just like a lot of other software, and they are by far the last to go for open sourcing, simply because it would cut into their revenue. Actually, the few snippets and code parts that ARE open source is one of the key sources for AV researchers, unless they want to go for the darker venues in the trade. And, finally, when knowledge becomes illegal, gimme a ring. Then it's time to leave the planet.

    If you want to learn how to write malware, you needn't wade through open source projects. You won't find much worth finding.

    So I don't really understand just why McA is targeting the OSS movement. There is little to be gained by malware writers through OSS, but a lot for those opposing malware. If anyone, it's the AV researchers who benefit from open sourcing malware. Because they would have a hard time explaining just why they would have sent money towards people wearing darker colored hats.
  • Misleading title (Score:3, Informative)

    by HangingChad (677530) on Monday July 17, 2006 @01:38PM (#15732573) Homepage
    It makes it sound like virus writers are using open source software to launch botnets. They're using open source software development techniques to create botnet software for Windows.

    Sheesh.

  • by Spazmania (174582) on Monday July 17, 2006 @01:46PM (#15732635) Homepage
    we're talking about the full-disclosure model and how that effectively serves malware development

    The open source, full-disclosure model improves the pace of ALL software development. All means all, including software development for "bad" purposes.
  • by AllParadox (979193) on Monday July 17, 2006 @01:49PM (#15732652)
    Just as the vendors claimed, this full-open-disclosure business is promoting distribution of powerful tools to, well, just anybody. Now the bad guys know about it and are using it. Can it get worse than this? Oh, sure. Try stopping it. __________________________________________ AllParadox - Retired Attorney, no legal opinions, just my opinion.
  • Someone needs to tell Macafee that it is time to put on their white shirts, roll up their sleeves, cross their arms and scowl.
  • by crono_deus (796899) on Monday July 17, 2006 @01:56PM (#15732703)
    Dammit, I've heard just about enough of these arguments. About 150 years ago, this man called Charles Tomlinson published a paper regarding how the mechanical workings of all locks should be public knowledge because, he reasoned, if the public knew about the weaknesses and strengths of each lock, they could 1) force the lockmaker into making a better lock, and 2) choose the one that suited them the best.

    Below are two excerpts from the paper, found, interestingly enough, using the "fortune" program. Yes, I know that the making of locks isn't exactly like the creation of software, but the principle remains the same. Security through obscurity is no security at all; however, if the standards and techniques are open and available to the public, we, the "experts" in the field, will actually be hold companies accountable for problems and shortcomings in their software.

    "A commercial, and in some respects a social, doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and already know much more than we can teach them respecting their several kinds of roguery. Rogues knew a good deal about lockpicking long before locksmiths discussed it among themselves, as they have lately done. If a lock -- let it have been made in whatever country, or by whatever maker -- is not so inviolable as it has hitherto been deemed to be, surely it is in the interest of *honest* persons to know this fact, because the *dishonest* are tolerably certain to be the first to apply the knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance. It cannot be too earnestly urged, that an acquaintance with real facts will, in the end, be better for all parties."

    -- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850

    "In respect to lock-making, there can scarcely be such a thing as dishonesty of intention: the inventor produces a lock which he honestly thinks will possess such and such qualities; and he declares his belief to the world. If others differ from him in opinion concerning those qualities, it is open to them to say so; and the discussion, truthfully conducted, must lead to public advantage: the discussion stimulates curiosity, and curiosity stimulates invention. Nothing but a partial and limited view of the question could lead to the opinion that harm can result: if there be harm, it will be much more than counterbalanced by good."
    -- Charles Tomlinson's Rudimentary Treatise on the Construction of Locks, published around 1850.

    If you ever wanted to send anything defending OSS to anyone, this would be a very good thing to send.

  • Or simply admit that Proprietary vendors cannot keep pace with the Open Source Model?

    Why would they want to slow down that far? Seriously, if MS was as fast as open source, we'd still be running on DOS 5.0 with Windows 3.0.
  • by dilvish_the_damned (167205) on Monday July 17, 2006 @02:02PM (#15732746) Journal
    I know he is suggesting that they are not throwing snowballs at Open Source, but specifically at full disclosure. However, if you go ahead and a read a little more into it, phrases such as

    "We're not taking aim at the open-source movement; we're talking about the full-disclosure model and how that effectively serves malware development," he said.

    become more transparent.

    What effectivly serves malware development also serves things like clamav and snort. I suspect this botnet thing is just a short term issue for them, the long term problem is full-disclosure used to defend oneself.
    Maybe I am wrong. Maybe it is all about malware developers becoming more effective. If thats true then this reads like an appology for being ineffective.

    Or maybe its just a sad cry for help. Like a suicide note left in a conspicuous place.
    Its fun reading things into things.

  • by BeBoxer (14448) on Monday July 17, 2006 @02:10PM (#15732791)
    Maybe that's what McAfee really cares about. Full disclosure means, in part, that it's easier for new vendors and products to compete in the security field. Sticking with limited disclosure, where only the OS vendors and established security vendors are informed, just lets the established vendors get complacent. Which given the quality of modern security software I would say has already happened. So they throw a bunch of FUD around, as though the problem isn't in large part due to closed-source software vendors being incapable of getting their shit together when it comes to security.
  • In other news: World Blames Macafee for their bad software.

  • a) Open Source: Easier to find bugs/exploits in the source, for both malicious and altruistic (fixing 'em) purposes.

    b) Closed Source: Harder to find bugs/exploits, meaning that they might be harder to exploit, but also oftimes harder to get a timely fix and/or fix it yourself... or even know the bug exists.

    There's a bad and good in both worlds.
  • The chickens are coming home to roost. The anti-virus model is essentially untenable-- akin to closing the barn doors after the horses have escaped. Anti-virus only works if you get the anti-virus signature updates before you get the virus attack-- but the signatures cannot be produced until the virus is encountered in the wild, by which time it has likely mutated into something new. AV is only capable of protecting against *old* viruses. Far better preventatives are a good network firewall, a good exec

  • As others have pointed out, McAffee is actually worse than spyware. At first, I thought it was just the fault of Windows that reading stuff off the disk was taking several minutes for 10 or 20 megs of data. Or maybe the nvidia software RAID. But I disabled McAffee, and suddenly, it was as fast as it was supposed to be.

    As to why it was there in the first place? College gave me lots of commercial software for free, including a copy of XP Pro. I have a legit, original, burned copy of XP Pro. Weird, I kno

CCI Power 6/40: one board, a megabyte of cache, and an attitude...

Working...