
All your bad PDF are belong to me - x0ner
HackerNews crowd, I am calling all security engineers and system administrators to please send me your malicious PDF files! Why you ask? Well, I am doing research to combat against malicious PDF files and need known bad or suspicious samples to collect data from.<p>Consult your SPAM filters, quarantined files or repositories of malicious data and head over to here to submit: http://allyourpdf.9bplus.com/ . If you can point me to any other sources besides the malware domain list, then that is good too!<p>Thanks and Happy Holidays!
======
iwr
I fail to understand why pdf is not a purely representational document format
(i.e. without scripting and executable content).

~~~
x0ner
It would certainly solve a lot of the problems associated with the files.
Requiring JavaScript should only be allowed if a sufficient justification is
provided. Simple things could be done to solve a lot of these problems, but
alas, we love our Internet calling functions.

~~~
hga
However there are "sufficient justifications"; the best I've seen is a
Missouri individual state income tax form, which besides the expected sorts of
things generates a 2D barcode with all the important data encoded into it.

Print it out, they scan it in, I can't imagine how much time, money and hassle
it saves. Allows for _fast_ refunds as well.

So, given that and other useful form type pages, how could we properly manage
allowing Javascript for the masses?

~~~
x0ner
Offhand I can't really think of a way to manage the problem. Instead I am
looking at ways to identify the bad parts of it and improve detection. Email
me if you would like more details.

At this point the specification is not going to just remove or change the
problem elements simply because outside the context of the Internet, their not
bad. The specification merely offers flexibility to those using or creating
PDF files. It is the abuse of that flexibility that make it extremely
difficult to identify "known bad" files or protect against them.

What I was getting at was a centralized approval system similar to an issuing
certificate. In other words, to use certain functionality, you would need to
request it from a trusted entity. This of course would be outrageous and
likely to be circumvented, but it never hurts to dream.

------
GrandMasterBirt
Can the title be edited as Crowdsource HN: ....

More descriptive of whats going on, so people actually click and listen :P

~~~
x0ner
If you know a way to change it, please let me know and I will do so. Shoot me
an email and I can discuss some of my research with you. If you have any
interest or appreciation on the subject then I think you will like what I have
going on.

