
Google Researcher Exposes Flaws In Sophos Software, Slams Antivirus Industry - ssclafani
http://blogs.forbes.com/andygreenberg/2011/08/04/google-researcher-exposes-flaws-in-sophos-software-slams-antivirus-industry/
======
someone13
Firstly, you can find the associated paper here:

<http://lock.cmpxchg8b.com/Sophail.pdf>

I actually find the technical details behind how the antivirus engine works
far more fascinating than the flaws in said engine. As Tavis said, most
antivirus companies don't publish details about their engines, so, flawed or
not, learning how Sophos does it is interesting.

~~~
gbrindisi
Me too. I am actually reasearching heuristic engines and I can assure you that
there isn't a research field so mysterious and jealously protected as
antivirus technologies.

------
ender7
Headline: "Google Researcher Exposes Flaws In Sophos Software, Slams Antivirus
Industry"

Inside: "Ormandy works by day as a security engineer at Google but said he was
representing only himself at the conference and that his research had been
done on his own time, _without the company’s knowledge or support._ " (my
emphasis)

I sense...Bullshit Title Tacked on by Asshole Managing Editor.

~~~
smackfu
The interesting question is whether Ormandy would research or publish flaws in
a Google product.

~~~
tshtf
Um, yes?

[http://googlechromereleases.blogspot.com/2010/04/stable-
upda...](http://googlechromereleases.blogspot.com/2010/04/stable-update-
security-fixes.html)

[http://googlechromereleases.blogspot.com/2011/02/stable-
chan...](http://googlechromereleases.blogspot.com/2011/02/stable-channel-
update_28.html)

[http://googlechromereleases.blogspot.com/2010/09/stable-
and-...](http://googlechromereleases.blogspot.com/2010/09/stable-and-beta-
channel-updates.html)

------
meow
"argued that it would be unlikely that malware writers would tailor their code
to exploit flaws in Sophos given that it controls only 10% of the enterprise
market"

It seems to be a ridiculous argument to make. This would still not rule out
targeted attacks.

~~~
markbao
Yeah, it's absolutely inane.

Marketing front: _"The best antivirus software."_

Damage control: _"Don't worry, we're only 10%! Look at someone else, they have
more market so it's more dangerous for them to have problems like these!"_

~~~
lylejohnson
It's the same argument some people use when claiming Macs are more secure than
Windows machines.

~~~
scott_s
I've used it in the past as an argument for why there are less exploits for
Macs, which is different. That is, security is an inherent property, whereas
the presence of exploits is a function of that security and interest.

------
billybob
“If you examine a system’s security and it’s weakened, that system is flawed,”
says Ormandy.

With things like encryption schemes, definitely. But is this true for
detecting malicious behavior? If you show your criteria for finding it,
doesn't that tell malware writers how to avoid detection?

If I'm wrong - if openly saying "there are our criteria for identifying bad
behavior" won't help people avoid it - then shouldn't Google release its
criteria for identifying spam sites? I don't see Ormandy advocating for that.

------
a1k0n
The author of this paper seems to have a reputation for irresponsible
disclosure (just google his name) and was called out on it by, you guessed it,
Sophos: [http://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-
ple...](http://nakedsecurity.sophos.com/2010/06/15/tavis-ormandy-pleased-
website-exploits-microsoft-zeroday/)

~~~
ohashi
Which is talked about in the article

~~~
a1k0n
Oops, didn't see page 2.

