On Sat, Jul 14, 2012 at 4:25 PM, Bruce Schneier <schneier@schneier.com> wrote:

... Many roadside farm stands in the U.S. are unstaffed. They work on the honor system: take what you want, and pay what you owe. I like systems that leverage personal moral codes for security. But I'll bet that the pay boxes are bolted to the tables.

many but not most. also, goats are exceptional sources of inspiration on side channel attacks and insider threats. more on this later.. ;) [i'd like to see a survey of info-sec specialists[0] turned ag entrepreneurs. or sechors[0] as jya calls them...]

The Failure of Anti-Virus Companies to Catch Military Malware

Mikko Hypponen of F-Secure attempts to explain why anti-virus companies didn't catch Stuxnet, DuQu, and Flame. His conclusion is simply that the attackers -- in this case, military intelligence agencies -- are simply better than commercial-grade anti-virus programs.

this is true. they are better.

I don't buy this. It isn't just the military that tests its malware against commercial defense products; criminals do it, too.

many criminals are also better! ... but not most. heh

Probably the people who wrote Flame had a larger budget than a large-scale criminal organization.

as evidenced by novel MD5 collision attacks leveraged for windows update MitM (aka, "holy grail") and expansive A/V countermeasures via, again novel, code injection methods. they also do extensive QA to ensure success against their targets, spanning whatever platform and processes. QA is expensive, and methodical QA on malware; this makes me chortle!

I think the difference has more to do with the ways in which these military malware programs spread. That is, slowly and stealthily.

this is intended to preserve return on investment. maybe one difference, but not the most significant.

it seems clear that conventional non-military malware writers who want to evade detection should adopt the propagation techniques of Flame, Stuxnet, and DuQu.

they won't and they don't need to. conventional malware targets the masses, and they're vulnerable without much effort. military malware targets the specific, and they'll do whatever they can (which is significant) to achieve success. entirely different domains!

... I think there's an interesting discussion to be had about why the anti-virus companies all missed Flame for so long. http://www.f-secure.com/weblog/archives/00002388.html

this is succinct and apropos. commercial A/V is not going to protect against state sponsored attacks (of which world class malware is a part). such protection requires ..., well, far more than kaspersky can ever give you :P 0. "Reign of the Sechors" http://cryptome.org/2012/07/sechors.htm _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/