
Antivirus Companies Shouldn’t Have Hidden What They Knew About Regin - aburan28
http://www.technologyreview.com/view/533136/antivirus-companies-should-be-more-open-about-their-government-malware-discoveries/?utm_campaign=socialsync&utm_medium=social-post&utm_source=facebook
======
wmt
It's easy to say it should be publicised, but I'm not sure how someone can do
that if the infected organisation specifically asks the antivirus company not
to publicly discuss the malware, like what appears to have been the case with
F-Secure.
([https://mobile.twitter.com/mikko/status/536959936476221440](https://mobile.twitter.com/mikko/status/536959936476221440))

Sure, they could just go ahead and disclose it against the customers express
wishes, but how many would hire their services in the future if there's no
expectation of customer confidentiality?

Edit: There likely is an NDA in place even before externals are allowed in, so
breaching it might invite some additional problems than just image issues.

~~~
lvs
It would be possible to discuss the find publicly without disclosing the
source. I'm pretty sure that's how all national security journalism functions
today.

~~~
freehunter
Even that may be against the contract. I've worked with companies where their
NDA said their security troubles can't be disclosed even if the information
was completely sanitized. Even saying "One company in the US was impacted by
Malware X" would be inviting the lawyers.

But I don't know this particular contract, so that may not be in play.

------
thornjm
Cleaning up a modern malware infection is quite a big task. You can't
immediately wipe it off a single computer because you will be playing whack-a-
mole forever.

You have to carefully monitor and learn everything you can about the malicious
actor, and discover all the infections. Then produce a plan to remove it and
prevent further infection. This is all implemented at a single instant.

However, it doesn't end there, you then have to monitor very carefully to see
if it comes back. If this can all be done in secret it is much easier,
especially if the malicious actor doesn't know you know they are there.

If you immediately reported everything you knew it would greatly assist the
malicious actor - keeping it secret is part of trying to stay ahead in the
game. Even after the first incident keeping it secret helps with future
incidents.

~~~
noinsight
> Cleaning up a modern malware infection is quite a big task.

And the only way to clean up a compromised computer is a full reinstall. You
can't possibly know what has happened on the compromised computer during the
compromise. This is what the desktop support jockeys and most companies get
wrong - obviously it's probably because of the cost associated with a full
reinstall, but it doesn't make it any less valid. If it costs too much,
companies should then focus on preventing machines getting compromised in the
first place.

Think about it, if I ask you to hand over your laptop for say, an hour, during
which I have completely free reign over it, can you tell me everything I've
done during that hour and all the backdoors installed, if any?

And to nitpick, obviously these days not even a full reinstall might do it
when there's BIOS viruses and even hard drive firmwares can be compromised
etc. of course.

~~~
likeowned
"Think about it, if I ask you to hand over your laptop for say, an hour,
during which I have completely free reign over it, can you tell me everything
I've done during that hour and all the backdoors installed, if any?"

Yes, I can. Read up on modern digital forensics. Everything you do on a
machine leaves a trace and there are ways to recover those traces and put
together exactly what you did. That is exactly what Incident Response/Digital
Forensics Firms do. An IR firm would never tell you to just reimage a machine
when you're dealing with an advanced attacker. They'd want to go through, use
the tools they have to identify exactly what happened on the machine and what
other machines were compromised before they even started talking remediation.
Wiping the one machine that you got an alert on would do absolutely nothing to
solve the problem.

~~~
al2o3cr
"Read up on modern digital forensics. Everything you do on a machine leaves a
trace and there are ways to recover those traces and put together exactly what
you did."

As a followup, both you and GP should read up on digital forensics from
someplace OTHER than their marketing material...

------
toothbrush
Non-ironic question: do many people on HN use anti-virus of some form or
another? Generally i'd probably trust people's judgement here as far as that
goes. I naively use Linux with no externally accessible services running and
no active anti-virus -- am i an idiot, should i clean-install everything ASAP?
Or do yous reckon this is reasonable?

edit: clarification

~~~
tptacek
No.

~~~
toothbrush
I'll take the bait: what kind of system would _you_ run? Linux? No evil web
browser plugins? A personal computer which you never use to browse the web
(RMS style)? Anything more exotic?

~~~
tptacek
I have a Macbook, like most of us. I turn the firewall on, and I use Chrome.
That's about it.

------
zecg
"My guess is that none of the companies wanted to go public with an incomplete
picture." \-- or, see Assange's censorship pyramid:
[http://wikileaks.org/Transcript-Meeting-Assange-
Schmidt#279](http://wikileaks.org/Transcript-Meeting-Assange-Schmidt#279)

------
phkn1
Here we see the other side of the "responsible disclosure" coin -- if the
ethical white-hat security researcher is required to withhold publication of a
critical vulnerability for a set amount of time, is there a corresponding
deadline for timely publication as well? And if that deadline is not met by
meaningful attempts at remediation or disclosure, is the researcher not
compelled to publish the findings independently?

Obviously these companies failed miserably to meet any reasonable person's
timeline of disclosure. One question is whether the extra time researching
this malware reasonably would have produced additional worthwhile intelligence
about its function and targets. If so, then the delay was "worthwhile".
Another question is whether it's not better to simply release an incomplete
picture to the security community (perhaps selectively) and let the larger
hive mind go to work on finding and corroborating additional clues.

It seems like the firms chose the former; many HN readers would advocate the
latter. So finally, the question remains whether such a forced disclosure
would be perceived as an irresponsible "leak" based only upon the disagreement
in methodology and interpretation of "responsible"? Would its withholding be
considered likewise irresponsible? Can a single firm, a collection of firms,
or the security research community at large meaningfully stay ahead of a
dedicated state-funded attacker? (Probably, Probably, Probably not).

If a nation-state is producing malware, it logically will also be monitoring
the channels of disclosure for evidence of its release and detection in the
wild. But that's no reason to limit the resources being dedicated to
protecting the public; it's egotism at best and collusion at worst.

------
justfane
I think the issue is... Windows is the biggest problem because most of the
'malware' kids come from hacking communities... Most communities use VB.net,
C# when i coded in both of these languages things seemed easy; and there is
really only FUD packagers on Windows; to make the executable undetectable.
It's easy to code a RAT program or anything in vb.net or c#

------
wfunction
I didn't see a compelling argument for why they should be publicized in the
article.

~~~
higherpurpose
You mean other than the obvious "trust" benefit? If "anti-virus" companies
don't want to protect you against "certain" viruses for political reasons, why
bother trusting them and buying their product?

~~~
wfunction
What would your alternative be? Not buying their products?

~~~
kodr
if the free alternatives protect you equally fine, yes.

~~~
drivingmenuts
> if the free alternatives protect you equally fine, yes.

Well, that's a Catch-22 and a half if there ever was one. Absence of detection
doesn't mean absence of malware, it just means you haven't found out how badly
you've been infected. The paid-for guys are halfways in the pockets of people
who've paid more and the free guys are lagging behind.

------
jmnicolas
I don't care if they publicize it or not, what I care is that they protect me
against the malware.

I'm very disappointed by Kaspersky : I chose them specifically because they
were Russians, I though they would not be susceptible to NSA pressures.

~~~
Illniyar
From the article it appears that they did protect against it.

At least, that's what I understand from "all the companies had added
signatures for Regin to their detection database".

