[funsec] Re: Malware sharing? People are full of shit [was: Getyour computer viruses here!]

Drsolly drsollyp at drsolly.com
Thu Dec 29 09:55:02 CST 2005 

On Wed, 28 Dec 2005, Blue Boar wrote:

> Nick FitzGerald wrote:
> > And that benefits who most?
> 
> Anyone who doesn't want to be dependent on someone else for their AV needs.
> 
> Look, I'll come out and say it.
> 
> The AV companies have an ivory tower attitude; they think they can 
> decide who deserves to know something and who doesn't.  If I don't have 
> a "legitimate" need, if I won't agree to keep secrets, then I'm not 
> deserving.

No. 

Each individual has a responsibility to decide who they trust and who they 
don't trust. If someone decides that you're not trustworthy, then that's 
their decision. You have to make the same decisions.
 
> Those of us who have grown up in a world of full disclosure when dealing 
> with vulnerabilities and exploits are never going to buy into that. 
> That attitude carries over into the malware world.  Malware IS 
> different, but it's close enough that we are going to see it the same as 
> any other "dangeous information."
> 
> I used to work at SecurityFocus, which was at best quasi-AV.  We 
> published analysis reports, IDS signatures, instructions for manual 
> detection & removal, etc...  I was one of the guys who did a lot of the 
> malware analysis.  They are Symantec now, but this was prior to that.
> 
> I was provided samples by McAfee, Symantec, Kaspersky, Trend, and 
> probably a few others I can't recall.
> 
> I have also been provided samples since I left, and no longer had even 
> that tenuous grasp on officialdom.  These are more recent and more on 
> the sly, so that I don't care to name names.  That is based on (I 
> assume) part my reputation, and part the fact that the AV guys aren't 
> always as stringent as they claim to be, when dealing in private.  In 
> those cases, the usual restriction I'm given is to share as I please, 
> but to not name sources.

What you're saying here, is that you were considered trustworthy, and 
you're still considered trustworthy. I'm not seeing the problem here.

More information about the funsec mailing list