David Harley shares some of his thoughts on public perceptions of the anti-malware industry.
Copyright © 2006 Virus Bulletin
Unfortunately I was unable to attend this year's Virus Bulletin conference, but last year's VB conference in Dublin is still fresh in my mind – in particular for the way in which it managed to mix a little media controversy in with the usual lively panel discussions.
One of the thoughts I took away with me from both panel sessions was that, irrespective of its technical advances, the anti-virus industry continues to fail to win hearts and minds. On the contrary, we are mistrusted by our customers, by the media, and especially by other sectors of the security industry. We are, apparently, incompetent, elitist, cabalist, money-grabbing, publicity-greedy, and generally ethically challenged. But we have our bad points, too.
In 1997, a reformed virus writer named Mike Ellison (also known as Stormbringer – who, incidentally, came across as a very nice, and intelligent bloke) addressed the Virus Bulletin conference to let the audience know why the anti-virus industry should employ him (as a channel to virus-writer thinking and initiatives).
Not surprisingly, the vendor representatives who were present came back with the usual set of responses to this sort of overture from the 'dark side':
It would send an encouraging message to other virus writers.
Virus writing and anti-virus development are discrete skill sets. This may not be as true now as it used to be: today's malware authors are more 'professional' – in several senses of the word – than they were in those days. Still, it's certainly true that the ability to write even a sophisticated virus is not necessarily proof of the ability to write disciplined code in collaboration with other developers, or even to analyse and write detection for someone else's malcode.
Anti-virus developers are expected to be whiter than white. This, I guess, is still generally the case. AV teeth grind all around the world every time another malware author, whose main distinction is that he got caught, is offered a job in the security industry (though not usually within several miles of the AV industry). Certainly there is a trust issue here, although I suspect that there is also an entirely rational reluctance to allow other AV vendors the chance to reap competitive advantage by pointing the finger at those who employ black hats. I wonder whether that is why so many vendors have stated that they would not employ someone who’d gone through a controversial course at the University of Calgary which included virus creation as an academic exercise.
Thankfully, for these and other reasons, the industry does not usually employ virus writers. Pragmatically, though, I wonder if part of the problem isn't exactly that image of plaster sainthood?
Many of the people – even security people – with whom I have worked in the past have been convinced (in a jocular sort of way) that the AV industry 'writes all the viruses'. (Not to mention some of the schoolchildren I've talked to about security.) Some of them (my security colleagues, not the schoolchildren) have also pointed out that every time I left the country there was a new worm or mass mailer – and maybe that's part of the problem, too (not that I do write worms as I bus across the Outback, but that people wish I did).
For years I've made the usual commonsense counter-arguments when people have asked me whether the AV industry writes viruses, and/or about my own virus-writing activities/prowess. For example:
No one (outside of Hollywood) thinks that doctors go out of their way to create diseases, or that crime is a fiction dreamed up by law enforcement agencies to keep themselves in employment, or even that lavatory cleaners spend their idle moments blocking toilets. Why, then, are we regarded with especial suspicion?
I try to explain that some researchers go to extraordinary lengths to avoid writing a new virus, even for research purposes.
I point out that if AV developers wrote viruses, a lot of malicious code would be of a much higher standard, and that very few viruses approach the sophistication of a good commercial anti-virus suite, let alone a million and a half other legitimate applications. Surely, if all the viruses disappeared tomorrow, people who are capable of developing a state-of-the-art AV scanner would certainly be able to find coding jobs next week?
'No', I say, 'I've never written a virus'. 'Yes', I say, 'I could write one': a seriously braindead overwriter would take seconds rather than minutes. 'No,' I say, 'I won't show you one, though I might show you how one works with a bit of pseudo-code.'
You can see the disappointment in their faces, at this point, and I have some theories as to why that is.
Perhaps they want to be touched by the reflected glory of being associated with someone who plays with these dangerous, but glamorous objects.
They're curious, and want a more concrete image of what a virus looks like. Certainly I've often been asked to show people my collection, or demonstrate how viruses work, and I've even been asked to give them a sample or two to play with.
They want to be reassured that I know what I'm doing, and figure that if I know how to write viruses, I must also know everything about defending against them. (Of course, this was also a common view among hobby virus writers, in the days when I talked to some of these guys.) Clearly, it isn't altogether convincing or reassuring to say 'I could do it if I wanted, but I’m not going to.'
Some of the end-users with whom I've worked have shared this mindset, but most of them want to keep it all at a safe distance.
Do these theories take us any further towards understanding why the AV industry is so mistrusted? Some way, yes. These people have been over-exposed to the idea that the best gamekeepers are poachers, and under-exposed to the idea that not all poachers are successful poachers. Nor has it been pointed out to them sufficiently clearly that poaching and enforcing anti-poaching laws do not necessarily require identical skill sets.
But there are other reasons for this dislike. The industry is seen as elitist (and why not? AV is a difficult speciality, and that demands respect, or at least it should). 'Paternalist' is another word that is sometimes heard in reference to the AV industry – and it's true that even those of us on the fringes of the industry have been told from time to time not to bother our pretty little heads with issues that we don't understand.
However, this industry has earned its paranoia. Those who mistrust the fact that we close ranks against other sectors of the security industry perhaps do not realize that some individuals in those sectors swing between two extremes: expecting special treatment as a 'professional courtesy' (e.g. in terms of receiving samples) on the one hand, and dismissing the whole field as a minor branch of security that requires no special skills on the other.
Certainly we are secretive: we still go against the general 'full disclosure' flow, and have good reason to do so. But the fact that the research community collaborates freely among trusted individuals doesn't seem to have registered with the world at large: recently, the suggestion that companies still withhold samples from each other for competitive advantage resurfaced in a UK national newspaper.
AV vendors live under a harsh spotlight. Commercial AV is seen as somehow unethical because it's paid for, whereas well-meaning, but partially ineffective and unsupported freeware is seen as laudable.
When a commercial AV product hits the false positive reef it makes headlines, but the more frequent blemishes on some non-commercial AV are rarely reported. Conversely, no freeware solution (freebie versions of commercial solutions excepted) detects everything that a commercial scanner does – but nobody seems to mind. There is a place in security for open source, but there is a tendency for some users of free software to overstate its accuracy and advantages and disregard its drawbacks.
Perhaps the single most damaging perception, though, is that the industry remains wedded to the evil subscription model. Everybody 'knows'’ that anti-virus vendors only know about viruses, and even then only the viruses for which a signature exists.
We can keep plugging away at this half-truth by pointing out at every opportunity that AV detects many threats other than viruses, and continues to develop heuristic detection and associated technologies to astounding levels of capability.
It's more difficult to overcome the presumption behind these assertions, which is 'if they weren't so protective of their revenue stream, they would let us all use the 100% effective solution which must be out there somewhere'. Well, there are certainly conceptual and actual alternatives – though perhaps 100% is a little too much to hope for, in these days of a hopelessly diverse range of threat types – and the AV industry has embraced some of them with a certain amount of enthusiasm in the past. If the industry moved en masse to integrity checking, for instance, patches and enhancements would support that the subscription model would not disappear, as it hasn't with personal firewalls, for instance. It's likely that virus-specific detection still rules because it detects and removes malware with reasonable precision (mostly) and isn’t as prone as more generic technologies to false positives. Its downfall is that it doesn’t and can't detect all malware, especially non-replicative types.
Security isn't expected to be 100% effective – many of us may have suffered from line managers and customers who thought it should be, but it never works out like that. So why should anti-virus be perfect? Perhaps the problem isn't so much virus management, or even integrity management, but expectation management. In the end, it always is.