This month (July 2006) McAfee Avert Labs issued their first issue of Sage. Sage is a semiannual newsletter with the goal to publish predictive and incisive security research that helps you understand the current and evolving threat environment.
Over the years I have been happy with McAfee and their products. Recently, I have become very pleased with McAfee because of the Sabag Security podcast produced by two of their employees. http://www.saeagsecurity.com/ Sabag Security is a wonderful weekly coverage of what’s happen in security. When I downloaded and read the first issue of Sage, I expected something like the podcast with more details.
To my surprise, McAfee’s Sage newsletter is a blast at Open Source and intellectual freedom and a call to keep us all secure by making all intellectual property (IP) secret.
Sage opens with the Editor's notes by Kevin J. Soo Hoo. Mr. Hoo describes Open Source by saying "By open source, we refer to the free and unconditional sharing of source code and ideas." Mr. Hoo also says "Whether posting a terrorist training manual or a how-to guide for attacking infrastructure, there are consequences to the free and open share of information –".
By making these statements’, Mr. Hoo is saying the sharing of information is the source of our computer threats and implicating the Open Source movement. He says, "…Modern malware is the product of collaborative efforts." And, "The professionalization of malware coupled with the powerful open-source model is creating a formidable, profitable, and criminal adversary for security professionals."
Mr. Hoo supports his claim about how dangerous this malware has become by quoting Mike Danseglio, who is a security program manager for Microsoft. I’ll repeat it here from the April 2006 InfoSec World Conference. “When you are dealing with root kits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the system from orbit.”
To me, this shows that even Microsoft doesn’t understand the workings of their own code. With Open Source everyone has equal opportunity to understand the code. Although this does allow for malware writes to understand intimate details of the system, it also means there is nothing malware writers can do that can not be figured out if they continue to open source their code. What if virus and malware authors protected their code with copyright and / or trade secrets, they could use the DCMA to sue companies like McAfee for reverse engineering their virus. As far as I know, writing a computer virus is not illegal. It is the release of the virus and the damage they do to others computers that is wrong.
In his defense, Mr. Hoo in his last paragraph does say, "Open source is not to blame for the current security trend, though it is a critical enabler for malware. In light of the ways malfactors use open source, perhaps the time has come to re-evaluate long-standing beliefs about full disclosure and absolute adherence to the open-source creed."
Is this not a call to a digital dark ages or what? And why would he poke at the Open Soure movement to do this? Mr. Hoo calls Open Source an enabler for malware but he doen’t call out bulletin boards or books as culprits even after quitting, Dmitry Gryaznov saying “malware authors have been collaborating and sharing source code, using books and bulletin board system and eventually, ftp sites and the Web, since soon after the first computer viruses appeared in the late 1980s.” I’m guessing he felt a call for the banning of books would be going too far.
In the first article entitled “Good Intentions Gone Awry”, Dmitry Gryaznov ask, “Open source was supposed to hinder malware. So what happened?”. Mr. Gryaznov explains in great detail how viruses started in 1988 when MS-DOS grew rapidly expanding deeper into the Microsoft products. He says bulletin boards, namely the VX BBSes, to share new code and ideas. Mr. Gryaznov’s only comment about Open Source is to say “These modern-day, open-source projects are simply the latest incarnations of an enduring culture of sharing that exists amount malware authors.”
So he totally ignores the fact that the hundred of thousands of viruses and the vast majority of the malware effect win32 code and not open source project like Linux, Apache, MySql and hundreds of others.
In the next two articles, “Money Changes Everything”, and “Building Better Bots”, the authors try to show how NetNews Bot writers have used Open Source techniques, (the share information of the Internet) to strengthen and make their code more powerful. This time I have to agree. They have use the many of the same internet services, and sharing techniques used by Open Source developers. Wouldn’t you? Doesn’t Microsoft? When did the sharing of ideas become eligal?
In the last few articles, the authors get to the real subject. Do you disclose and or pay for finding vulnerabilities in code, or to you keep these things secret? This has always been had question to answer. I’ll use an equaly had one as an example.
Do we teach our kids all the details of sex so they can avoid unwanted pregnancies, or do we keep it a big secret? In both cases. the problem is unknown to the owner of the "software". In both cases, we try to teach them not to behave in risky behavior. Admittedly, a hacked computer is not as likely to change your entire life. And software owners are not as likely to get in trouble my playing with with their software.
I think security people should measure the likely hood of risk be known the public. I'm sure Microsoft knows lots of security problems they have not disclosed. And unless they are likely to be found, they should keep them private. But if, people know how to use some kind of software to exploit other people, everyone should be informed.
The maleware talked about in the SAGE document evolved.