ethical conflict in the anti-malware domain

forgive my silence over the last little while. motivation to blog sometimes isn't easy to find. as time wears on, fewer and fewer things get under my skin enough to drive me to rant (is that what it means to mellow with age?). but since you're reading this i think you can guess what this post infers.

five years ago i wrote a post about what i perceived as an ethical conflict in the anti-'rootkit' domain. it detailed the actions of two of the most notorious names in stealthkit research, jamie butler and greg hoglund, and how they were profiting from making a particular niche of the malware problem more popular (and thus, inevitably a bigger problem).

one of the things i pointed out was that symantec was working with a start-up company (komoku) that had jamie butler (author of what was at one time one of the most widely deployed stealthkits around) as it's chief technology officer. i thought the fact that an anti-malware company was in bed with a company that hired such a high profile malware writer deserved at least a moment of reflection, considering the hard-line stance anti-malware companies take on hiring malware writers themselves. at the end of the day, mind you, that start-up was focused on prevention so maybe the argument could be made that mr. butler had or was trying to reform in some way. (mr. butler has since moved on to mandiant, along with his disciple {the FU2 to butler's FU} peter silberman)

when i read earlier this past week that another anti-malware company (mcafee) had been working with greg hoglund's company (hbgary) i thought it an interesting historical footnote but paid little attention to it beyond that (though, if i had remembered that mcafee had once been pointing fingers at rootkitDOTcom, maybe the hypocrisy would have stood out more). after all, little attention seemed to be paid to such connections five years ago so why should this time be any different? well, that was before i knew what hbgary was in to.

apparently, on top of the legitimate work that one can find out about by visiting the hbgary website (which of course i won't link to), it appears that hbgary also writes and sells malware for fairly large sums of money. the customers for their malware include the government/military but might not stop there. even if that set of customers does stop there, hbgary appears to be in the high-end commercial malware business.

so where does that leave mcafee? it leaves them in bed with commercial malware writers. while AV companies have been proclaiming for decades that they don't and won't hire malware writers, apparently they don't have to. they can simply partner with the boutique security shops that do. clearly they are not picking their business associates as carefully as they are their actual employees.

and then there's the claim that surfaces from time to time that AV companies won't make special provisions to keep malware deployed by the authorities from getting detected. what's the point of making such a claim if you're just going to turn around and do business with the company that may very well be making said malware?

how many other AV companies, besides mcafee, were or are in bed with hbgary? how many are in bed with companies LIKE hbgary? where's their ethical high horse when it comes to partnerships? why wasn't the "malware writers need not apply" policy updated when commercial malware became the norm and presented the loophole we see before us today?

some AV companies are rewarding malware writers financially. it may not be in the ways we traditionally thought of, but with the #2 company in the industry involved in this practice (and arguably the #1 company as well, depending on where you want to draw the line), the end result is AV companies contributing to the commercial success of malware writers, and that is not ok at all.

how do you get to the top?

so how do you get to the top? well, if you're an anti-virus company it stands to reason you get there through technical excellence (yes, i can hear you snickering from here). of course if you have technical excellence then it also stands to reason that your people know what it is they're talking about when they go and say something about malware in public.

specifically, what i and many other people expect is that people working for the #1 anti-virus company to at the very least know the difference between viral and non-viral malware. those kinds of basics seem like they should be prerequisites for achieving technical excellence in the anti-virus industry.

apparently that is expecting too much, since some people (in the industry, no less) are still using the term 'virus' as the umbrella term instead of the more accurate term 'malware'. i'm not sure exactly when it happened, but at some point i started hearing more terminology misuse from media sources within the industry than i hear from general media sources in the world at large.

to say that cancels out any willingness i might have had to suspend disbelief about the question of technical excellence is an understatement.

now one explanation i could entertain is that this is actually part of a very clever plot to keep the public confused and disoriented. governments long ago figured out that it was easier to control their subjects if they kept them stupid and uneducated. it doesn't seem unreasonable to suppose that corporations might make use of similar tactics. the foundation upon which greater understanding and ultimately greater self-reliance is built on is an accurate and consistent body of knowledge about the topic at hand. authoritatively using terms where they don't belong unquestionably undermines the process of developing that body of knowledge. it is precisely the type of tactic i would expect if corporations were trying to keep the masses easily manipulated.

that being said, i'm still prone to give the benefit of the doubt. never attribute to malice that which can easily be explained by incompetence. of course, since that reflects poorly on the possibility of technical excellence, that still leaves open the question of how one can get to the top and stay there.

without technical excellence being the driving force to keep the top players on top, we eliminate the possibility that the system is a meritocracy - or at least if there is a meritocracy, it's not the merits of the technology that are important but rather the merits of the efforts to manipulate people into thinking their technology has the most merit. that's called marketing. in essence, it's the best manipulator, not the best technology, that wins.

(though a system that rewards manipulation seems like it should eventually evolve into one that actively tries to keep people stupid in order to manipulate them more easily)