I totally meant to type "malware", but my head is muddled from a sleepless night. Spyware is of course only a part of the problem.

You mean like the catch-all German "hacker program" law, that has had the entire security industry up in arms? The one where you could in theory get arrested for possessing a copy of NMap?
www.schneier.com/blog/archives/2007/08/new_german_hack.html

I honestly don't think you could pass of something this simple as a pen-test tool. You could probably pass it off as a pure remote administration utility. But this would require you to add lots of extraneous functionality that would seriously confuse the intended market, and you couldn't market it to them directly either (I guess this could work anyway if you could incite some really strange grassroots campaign.) On the upside, if the virus engines wouldn't recognize it, you wouldn't have to include signature-evading code (polymorphism, packing...).

But it's stuff like this we're really after: http://en.wikipedia.org/wiki/MPack_(software). People who code professional-grade malware generally do so to profit off of it. It's well known that in the existing ecosystem of digital crime the malicious hackers themselves rarely act as attackers in large-scale id/credit card theft; instead they sell it to people who do. Quoting this extremely enlightening interview: http://www.securityfocus.com/news/11476

"The project is not so profitable compared to other activities on the Internet. It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live. Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project."

This particular piece of spyware is amateur stuff, aimed at paranoid spouses/bosses, but if we can hit the business of selling spyware (probably requiring the cooperation of the international banking system, as well as the governments of china and russia) it would totally cripple large-scale internet crime as we know it. It's a pipe dream, of course. But one can always dream.

Several of the more business-oriented programming/software development courses on my (Swedish) campus is being taught in project groups using agile.

The antivirus market is, as everyone knows, the most FUD-filled part of the security industry. The effectiveness of different antivirus products is largely anecdotal, and shifts rapidly because of the arms race between virus writers and antivirus manufacturers. As it stands now, even "expert" end user cannot ascertain the relative effectiveness of the suites, and because antivirus products are still heuristics-based with a few "depacker" routines built in, they only catch the really obvious fish. (One funny thing with this is, if you pack an executable with a common yet relatively complicated packer, say "redeye", it'l get caught, but if you just jump in and jumble up the instructions with a debugger you can make it "invisible" easily). Because of this reliance on FUD to sell, and because there *is* already fierce competition in the antivirus market, maybe this won't change much, unless MS locks other vendors out somehow. Or will it be a different form of competition, because of the now-asymmetrical playing field? MS has an advantage in that they have access to the code and people who wrote the code, and designed the OS architecture.

Yes, but couldn't you just have two layers of C&C? Using socks proxies on bots running on home computers spread out over tier-3 ISP IP pools that doesn't blacklist "bullet proof" countries, combined with a few cheap colocated hosts inside US borders for data storage, communicating back to hosts on safe territory is the method i would use if i wanted to use the simplest, cheapest and most reliable method, and wasn't the sharpest knife in the drawer. The really sharp solution would be to have a storm-like P2P botnet architecture with irregularly steganographed and encrypted connections back to C&C servers on safe ground (Eg, even if the "mothership connections" where discovered, they would look like they where coming from disparate botnets.) I think such a system could be maintained for the foreseeable future, as long as you keep adding new steganographic methods to the pool.

As i understand it, that is exactly what the security researchers did. What happened (by analogy) was that the person that the landlord in turn rented from kicked him out. I don't think you can really place the blame on the security researchers in this case.

Terry Pratchett once said that he was surprised people who program computers don't spend more time programming people.

Doesn't everyone do this subconsciously, when they feel they would benefit from it? I know i have to stop myself sometimes, when i put myself in "vulnerable mode" to make people trust me more. I don't try to con people, i just do it because it... works? On the other hand, I'm into computer security. Maybe stuff like that is just part of the "security mindset" Bruce Schneier et. al. espouses? 2% sounds like a surprisingly small figure though.

No, of course not. But an open-source sponsor company still chooses to associate with an obviously oppressive government. And that's not good at all.

Yeah, but a country isn't a house. For example, you do not, as the owner of the house, have exclusive right to regulate lethal force within it. Allowing closed communities to form with their own laws and moralities about such basic things as the freedom of speech isn't generally good for society, or the people in the communities. Look at North Korea or Saudi Arabia for example.

No matter of the people protesting Novell are a vocal minority subgroup that annoys most people. Having police roughing them up and removing evidence about doing so is bad PR for all free software, and it's completely immoral to rationalize this sort of reprehensible behavior just because you don't agree with with what they're protesting about. So they still live. So what, it still shows that this specific police force consists of thugs. Do you people feel relieved over not getting shot every time you pass customs at the US border?