Hello Anonymous Coward,

I do indeed avoid running or even looking at any competitor's antimalware product. A large part of that (the largest part, as a matter of fact) is because I believe my employer's software is the best. After all, if I did not believe that, I would not be working for them, would I? But the other part is because I have been deposed in numerous patent lawsuits over the years, and the last thing I want to do is get dragged into another one because of something I did.

I hope that explains things with sufficient clarity.

Regards,

Aryeh Goretsky

The qualifier at the end of your statement is a major problem if you mean you'd be afraid to use it because you personally have something to fear because you are a competitor, and therefore might be a target for maliciousness from him. I suspect you meant you can't because you must eat your own dog food, so to speak, but I think the first interpretation is more important. If you even might have something someone else wants badly enough, there are ways to make it happen. So the OS you use is exploit proof? Then they make the maker of you OS build an exploit into it. Either by legislation, or blackmail, or threats, or traitors, there's always a way.

Hello,

That is very annoying; especially considering that I'm a former McAfee employee from long ago (1989-1995). I will yell at^H^H^H^H^Hpolitely ask someone over there to fix it. Thanks for letting me know.

Regards,

Aryeh Goretsky

Is how McAfee SiteAdvisor flags your site as exhibiting "Risky Behaviour", warning me before even visiting ...

Hello,

Allow me to explain further. My direct interaction with Mr. Kaspersky has been minimal—it has been several years since we exchanged emails. He is the CEO of a security firm that clocks in at a sizable fraction of a billion dollars, and I'm a researcher at a smaller competitor. On the other hand... I interact professionally with his researchers on a regular basis and we all go to the same conferences and so forth so there's more face time at that level.

From everything that I have seen, we all want the same thing: The ability to use our computers safely without fearing malicious activity on (or towards) them. Now, the means towards that end may differ, and I would imagine our sales and marketing departments probably don't care for each other much, but at the end of the day, I would say pretty much all of the antimalware researchers that I know in the industry want that to happen.

Regards,

Aryeh Goretsky

That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.

Regards,

Aryeh Goretsky

"I have little experience but trust him". Why? Considering this article specifically questions the integrity of his ability to be partial, you should say why.

Hello,

This is a very interesting move by Eugene Kaspersky. Speaking as both someone who has worked at an embedded systems manufacturer (VoIP telephony gear) and also as a competitor (antimalware) I know that each one has very specialized toolchain requirements and that expertise in one area does not necessarily translate to mastery of the other.

Probably more curious is the timing of the announcement: It seems an odd time for a Russian antimalware company whose founder has close ties to that country's intelligence agencies to announce a new operating system for critical infrastructure tasks, especially since the US House Intelligence Committee is tearing into Chinese telecom gear vendors Huawei Technologies and ZTE over concerns about the security of their products.

That said, while my interaction with Eugene Kaspersky over the past decade has been minimal, he has assembled a world-class group of researchers, and I would have no concerns about running any code written by them on any computer I own were I not a competitor.

Regards,

Aryeh Goretsky

Hello,

Relevant: Sarah Brightman & Hot Gossip - I Lost My Heart To A Starship Trooper

Warning: Extremely cheesy.

Regards,

Aryeh Goretsky

Hello,

Malware for Android, Google's version of Linux for smartphones and tablets, seems to be on the upswing, though.

Regards,

Aryeh Goretsky

Hello,

I realize the default permission on Slashdot is set to "anti-Microsoft," but before that gets out-of-line, consider this attack was purportedly done by an insider (or possibly even insiders).

At that point, it doesn't really matter what the operating systems(s) the business runs. If it was an inside job, the attacker would have been damaging things regardless of the operating system(s) used. How environments are secured and managed is a lot more important these days than what operating systems they run.

Regards,

Aryeh Goretsky

Hello,

It is interesting in reading the article and comments here on Slashdot that no one has talked about the effect cooperation between Iran and North Korea would have on either accelerating the pace of malicious software deployed against these nation-states, or even worse, the use of other means to combat their nuclear ambitions.

The Stuxnet worm was designed to target a single specific network. Yes, it spread in other ways, but the payload it deployed would was engineered so that it would only work on the Natanz nuclear facility's network. That is an insane level of precision and it clearly shows the huge investment made by the attacker(s) to ensure that this "cyberweapon" could only be triggered by the correct environmental conditions. It costs money to develop the targeting, payload and telemetry systems to support that, and the attacker(s) are only going to make that type of investment in what has to have been a highly-speculative "cyberweapon" if they believe they are going to get some value out of it.

The value in malicious software like this (as well as in commercial spyware offerings, like FinFisher) is in their ability to perform without being detected by anti-malware software. As soon as that happens, the malicious software no longer has any value. The attacker may attempt to update their malicious software for a few generations, but once they are on the radar of anti-malware companies, samples of the new variants will make their way to the researchers at the anti-malware companies, possibly with metadata or telemetry that allows the point of origin to be identified. Which is not so good for plausible deniability. It is also possible that the countermeasures introduced to foil detection by anti-malware programs will introduce unforeseen errors into the malicious program, simply because it was not as fully tested as the original attack.

If one is to believe that the Stuxnet worm was jointly-created by the United States and Israeli to (1) degrade Iran's nuclear ambitions; and (2) as a means of delaying an attack by Israel on Iran than one has to wonder about what sort of options are to be considered if malicious software is no longer an option.

From the defender's point of view, Iran's response to the Flame malware was probably the most effective thing they could do to combat it: The Iranian CERT blasted out copies of it to anti-malware companies around the world, ensuring that detection would be added in a matter of hours. Anti-malware companies add detection of malicious software sent to them; that's what they do, after all.

The idea that an anti-malware company would not add detection for a threat because it may have been created by or used by a governmentâ"or they were told not to by their governmentâ"does not hold water. While anti-malware software may be thought of as an American or Western European creation, there are plenty of anti-malware companies in South America, the Middle East, Asia, Eastern Europe and other parts of the globe, and any anti-malware company that did not add detection for such a threat would be subject to speculation and scrutiny about why. It would be a tacit admission by the country the anti-malware company operated in that their government was responsible for the malware.

Maintaining plausible deniability means not blocking or otherwise interfering with the detection of malware by anti-malware companies, and when they respond to a threat in hours that may have taken weeks, months or even years to develop, well, you start looking for other ways to get more bang for your buck. My fear is the emphasis will be on the bang.

Regards,

Aryeh Goretsky

Hello,

A list of OS software developers who are members of UEFI:

• Apple
• Canonical
• Cisco
• Cray
• Fujitsu
• Hewlett-Packard
• IBM
• Microsoft
• NEC
• Novell
• Oracle
• Red Flag
• Red Hat

And there are also other companies who work in the same neighborhood (CPU manufacturers, firmware developers, etc.). Source: UEFI Membership List.

While I understand (and, to some extent, sympathize with) the desire to hold Microsoft solely responsible for every activity in the computing industry, this is clearly a joint effort across the industry to replace a two decade-old invention whose time has come. And as far as I know, the largest installed base of UEFI firmware—albeit an older version of the standard—is Apple, a company not precisely known for having a cordial relationship with Microsoft.

Regards,

Aryeh Goretsky

Hello,

Some operating system and application developers--and online stores--scan all files with a battery of anti-malware programs before releasing them. This allows them not just to check for malicious code embedded in those files, but to avoid reports of a false positive detections on files they are going to distribute before they are released.

Many anti-malware programs are available on multiple platforms (Windows, OS X, Linux, BSD, Solaris, and so forth) and their databases are cross platform as well, e.g., the Windows version will detect malicious software not just for Windows, but for the other platforms, including mobile ones like WinCE, Symbian and Android.

Typically, the only time you limit detection to a specific platform is for mobile versions of an anti-malware product. Those devices are storage and memory constrained, so it makes more sense to just look for the threats which either (1) target that particular platform; or (2) are cross-platform and capable of affecting the mobile device (J2ME comes to mind). This would not be an issue when using the desktop or server version of an anti-malware program.

In this case, it sounds like Apple is either not pre-scanning submitted files for malicious code, or they are not using enough different anti-malware scanners to catch this. Depending upon the number of customers, potential for brand damage and even possibly the costs of legal action resulting from even accidentally distributing malware in your software (or through your online store) it makes sense to use a dozen or two anti-malware programs to check things--or even more as the situation warrants. Simply scanning with just a few programs, even five or six, isn't going to cut it, especially if one of those products is an OEM'd version of another you already use, as it's just going to report the same things as the product it's derived from.

Regards,

Aryeh Goretsky

Hello,

One thing I haven't seen mentioned about this particular mole hill is that it was uttered by someone who runs a blog dedicated to small form-factor devices like smart phones and tablets.

Given that typing anything of length on such devices is painful, it is unsurprising that he is denigrating the command line interface. It simply doesn't fit in his worldview.

Regards,

Aryeh Goretsky

Hello,

Somewhat surprised to see that the original research on the worm by ESET has not been mentioned yet on Slashdot. For all those who are interested, here it is:

• ACAD/Medre.A - 10000's of AutoCAD files leaked in suspected industrial espionage - post in ESET's blog by Righard Zwienenberg with high-level overview of the worm
• ACAD/Medre.A Technical Analysis - post in ESET's by Robert Lipovsky which goes into more detail on replication and payload of the worm
• ACAD/Medre.A White Paper [PDF, 2.36MB] - white paper with additional analysis and graphics.
• ESET Threat Encyclopaedia: ACAD/Medre.A - ESET's virus encyclopaedia entry on the worm. Also contains link to a free stand-alone cleaner.

From speaking with some of the ESET folks involved in the above, it seems there may be additional details forthcoming.

Regards,

Aryeh Goretsky

Hello,

I do not see this so much as an ultimatum by Microsoft to its partners as a warning.

Microsoft has invested a great deal of R&D into making Windows fast and reliable, only to find those efforts wasted by computer manufacturers who load up trial or otherwise limited versions of third-party programs which slow down the boot process and system performance overall, use up memory and disk space and introduce incompatibilities with other operating system components and third-party software, all in the pursuit of pumping up profits by turning the computer that you buy from them into a billboard, with those programs being the advertisements. Software companies have to pay for pre-loading the trial version onto a computer, and also have to pay a commission when a license is sold from that preloaded version.

The fact that whole taxonomies of software have been created (bloatware, crapware, shovelware to name a few), and that an ecosystem of programs like CCleaner (formerly Crap Cleaner) and PC Decrapifier (formerly Dell Decrapifier) have sprung up to solve the problem indicates how badly Microsoft's partners have abused their position.

In the case of the whole OEM software preload business, I think Microsoft has largely been the victim. They put strict branding requirements into Windows 95 for the desktop because they wanted end users to have the best experience possible. Manufacturers saw it as a way to make more money ("sell advertising space") and that's what pretty much started the initial antitrust investigation into Microsoft by the US DoJ. Yes, Microsoft has done plenty of horrible things, but they've also paid the price for those past misdeeds, not just in terms of fines, but in the distraction of having to deal with lawyers instead of being able to focus on delivering products and competing with companies like Apple.

Microsoft's partners cannot have ignored what Microsoft is doing with Windows Phone, Windows RT, the Microsoft Store, the Signature PC program and so forth. The writing has pretty much been on the wall for a while; this is just the latest paragraph: We have worked very hard to provide you with the tools to provide customers with a great Windows experience. If you do not choose to execute on that, we will.

As usual and for the record, all of this is my own opinion and commentary derived by observation and other public sources and neither reflects the opinions of Microsoft or my employer (who actually competes with them), although they'd both be fools to disagree with me. :)

Regards,

Aryeh Goretsky

Hello, That's not even John McAfee. Regards, Aryeh Goretsky