Tag Archives: Andrew Lee

(Intellectual) Property is Theft?*

First of all, congratulations to Andrew Lee on his new role as CEO of ESET LLC. It’s as well that my work for AVIEN is unpaid, as otherwise he’d be my boss twice over. ­čśë Reading the press release here, it includes substantial references to AVIEN and the AVIEN book, to which many AVIEN members contributed, as did┬áAndrew and myself.

That was a very worthwhile project, but one of the less attractive aspects was the readiness of a great many people to generate and distribute pirated copies: apparently the time and effort it took us all to generate that book doesn’t deserve any recompense. In fact, I had a pirated PDF copy sitting on my desktop before my author’s (hard) copies arrived…. That wasn’t the first of my books to be pirated, let alone the only one. But it seems that the pace has picked up in recent years.

So imagine my joy on reading in the Vancouver Sun that ION Audio are about to market a device that can scan a 200-page book in 15 minutes. (Thanks to Robert Slade, my co-author on Viruses Revealed, for bringing this gem to my attention.) Well, it’s basically just a more ergonomic type of scanner, and hopefully dedicated pirates will find that having to turn all those pages by hand will still have a negative effect on their sex lives.

I don’t think there’s much doubt, though, that for every individual┬áwho has a legitimate and possibly legal reason to scan one of their books into machine-readable form (i.e. for iPad, Kindle etc.), there will be many more who will see this as a way to profit from the labour of others without asking the question “why do I have the right to assume that authors should go through the pain of writing and publishing with no right to any sort of return?”

What is really infuriating, though, is that it doesn’t seem to have occurred to ION that it is marketing rather more than a legitimate tool for honest students and educationalists. Or maybe it doesn’t care, because it can’t be used to copy ION hardware.

* http://en.wikipedia.org/wiki/Property_is_theft

David Harley CITP FBCS CISSP
AVIEN COO

AVIEN Sponsors VB 2010

Virus Bulletin 2010

In honour of our 10th Anniversary here at AVIEN, we’re sponsoring the pre-dinner drinks reception at the 20th Virus Bulletin Conference in Vancouver next week. In case you didn’t know AVIEN was formed out of conversations held at Virus Bulletin in 2000, and the relationship has been a long and friendly one between the two companies. We’re proud to help bring a part of the conference to the attendees.

Andrew Lee
AVIEN CEO / CTO K7 Computing

Snakeoil Security

This is a really good article about how poor  security products can appear to work, but actually increase the problem:

´╗┐http://ha.ckers.org/blog/20100904/the-effect-of-snakeoil-security/ *

The article also links to a good article about the ACUTrust product (which no longer exists)┬áhttp://ha.ckers.org/acutrust/ – which contains the following quote

“´╗┐like most systems that use cryptography it is not a vulnerable algorithm, but the system that uses it is”

This really does bear repeating as many times as possible. Just because a product claims to use cryptography – most will claim to be using AES256 – doesn’t mean they’re using it in a way that makes the system secure. Cryptography is all too often a security panacea, a ‘buzzword’ that makes the user feel like they’re safe, but the importance is, as always, in the implementation.

One of the best examples of this sort of failure I’ve seen recently is this┬á´╗┐http://gizmodo.com/5602445/the-200-biometric-lock-versus-a-paperclip. The incredibly secure biometrics in the lock mean nothing if the manual lock can be opened with a paperclip. Adding a stronger mechanism to a weaker one does not strengthen the system.

So why does this sort of failure happen so frequently? It really happens because security practitioners, as well as the people who buy security products, often don’t see the big picture. Security is about people, and what people will do (or not do) to the systems that they are presented with. A classic example is enforcing a strict ‘strong’ password policy that means that users write down their password, and stick it to the monitor so they don’t forget it.

Security isn’t really about products, or technologies – those can be enablers, but it is about seeing where the weaknesses are, understanding the risks, and taking what measures are possible to ensure those risks are minimised. Buying into ‘hot’ products is not a reasonable investment if you don’t understand what you are buying and why you’re buying it.

I personally am coming to believe that the greatest failure of security over the last 20 years is that we have failed to understand that we are securing (for and against) people not technologies, and people do the strangest things.

Andrew Lee
AVIEN CEO / CTO K7 Computing

* Thanks to @securityninja for the original link

HP Webscan opens a hole in your enterprise

In an interesting piece of research, Michael Sutton details the vulnerability opened up by leaving HP’s Webscan service enabled on your network attached scanner/printer devices.

http://research.zscaler.com/2010/08/corporate-espionage-for-dummies-hp.html

This really does highlight the fact that, when thinking about security, it is never good to assume anything. Any device attached to your network should be thoroughly examined, and the benefits considered.

Of course, it also is a big failure on the part of HP not to ensure such services are secured by default (or at least must be specifically enabled). Hopefully they’ll fix this, but for now, if you own an HP scanner/printer/fax device, then it’s worth checking you’re not exposing sensitive documents to the wrong people.

Andrew Lee
AVIEN CEO / CTO K7 Computing

AVAST takes $113 Million in capital

In what seems to be something of a trend for big investments or buyouts of AV companies, AVAST, the Czech based makers of the popular free AVAST Anti-virus, have sold a minority stake in their company to investment firm “Summit Partners”.

http://www.itnews.com.au/News/229866,avast-takes-113m-equity-injection.aspx

AVAST (formerly ALWIL software) has long been in the ‘free’ anti-virus game, as one of the pioneers of that model, and clearly it seems to be working for them. It should be interesting to see what they do with the cash and how their product line develops over the next few years as they compete with their big neighbour AVG, also Czech based and big in the free AV game.

Andrew Lee
AVIEN CEO / CTO K7 Computing

Also blogging at http://blog.k7computing.com

Virus Bulletin Seminar Announced

Virus Bulletin have announced the first in a new series of Seminars. Aimed towards the corporate IT Admins and security practitioners, the day long seminar will look at protecting organisations in the modern age of Internet enabled crime.

Speakers include

  • Bryan Littlefair, Vodafone Group
  • Bob Burls, Police Central e-Crime Unit
  • Graham Cluley, Sophos
  • Alex Shipp
  • David Evans, Information Commissioner’s Office
  • Andrew Lee, K7 Computing
  • Martin Overton, IBM
  • Richard Martin, UK Payments Administration

http://www.virusbtn.com/seminar/index.xml

There’s an early bird price available, and seats are likely to fill up fast, so get in early!

Andrew Lee CISSP
AVIEN CEO / CTO K7 Computing

More AMTSO stuff

They say there’s no such thing as bad publicity, though quite who ‘they’ are, and why ‘they’ would make such a clearly daft statement is beyond me. It seems that AMTSO has had it’s fair share of bad publicity recently –┬á a further example is the piece by Ed Moyle over on his blog at http://www.securitycurve.com/wordpress/archives/1773. It’s a long article, but it does show that Ed clearly doesn’t understand (or doesn’t want to accept) what AMTSO is trying to do – maybe that does just mean that AMTSO needs a better PR representation. Anyway, once again Kurt Wismer (or perhaps I should adopt his anti capitalist rendering and use kurt wismer) has provided some excellent analysis of Ed’s piece over on his blog at http://anti-virus-rants.blogspot.com/2010/07/i-see-standards-organization.html

There’s little more that really needs to be said from my perspective. For the record, I personally agree with Kurt (just can’t seem to get my head around the ‘kurt’ thing), in his analysis of the NSS report done by AMTSO – which seems to be at the root of this whole anti AMTSO campaign. The central point is that NSS did a good job, and came very close to the ideal – (if you haven’t read the review, then it’s here). It’s unfortunate that that has been taken as a negative thing or a slight against them to say that they did not fully meet the ideal standard set by AMTSO – it was still far better than many other tests, and I have every hope that people are sensible enough to recognise that. It’s hard for me to see quite how Ed jumps from that report to an accusation that AMTSO is ‘Slapping the labs’ – an argument even harder to see when a lab like Dennis Technology Lab (who have very similar methodology to NSS) voluntarily submitted their own test for the AMTSO review process (see the report here).

If there’s one thing we can learn from this, it’s that it does seem that there’s a double standard here – testers can criticise AV vendors with impunity in their reviews and tests of AV products, but when someone tries to apply that same process and rigour to the tests done by those testers, that is somehow anathema. Personally, I think that’s shoddy thinking, and I have no doubt that AMTSO will continue to strive, as it has done from inception, to provide the public with an insight into tests, and to support good testing practice (and incidentally point out less than ideal practice where needed).

Andrew Lee
AVIEN CEO / CTO K7 Computing

The edge of reason(ableness): AV Testing and the new creation scientists

First, let me start out by saying that I am in a bad mood. I probably shouldn’t write when I’m in this mood, because I’m in danger of just ranting, but I’m going to anyway. I’m in a bad mood because I am pretty fed up that some people are so deliberately trying to destroy something I’ve personally (along with many others) worked very hard to build in the last couple of years.

I’m in a bad mood because writing this is distracting me from the many other things that I need to do, and get paid to do.

I’m in a bad mood because I’m fed up with hearing that I, and others like me, have no right to comment on things that fall directly within my realm of expertise (and goodness knows, that’s a narrow enough realm) – and that if I do, it’s simply self-interested nonsense.

Secondly, let me also point out that although I’m now going to reveal that, yes, I’m talking about Anti-Malware Testing, and may mention AMTSO, I’m not speaking on behalf of AMTSO, nor my employer, nor anyone else, but me, myself and I (oh, that there were so many of us).

So, “What’s the rumpus?*” Well, in what has become an almost unbelievable farce, the last few weeks have seen mounting attacks on the AMTSO group and what it does.

For some background – those who are interested can read these articles.

http://kevtownsend.wordpress.com/2010/06/27/anti-malware-testing-standards-organization-a-dissenting-view/

http://krebsonsecurity.com/2010/06/anti-virus-is-a-poor-substitute-for-common-sense/

There are some very good points in the second (Krebs) article, although cantankerous is not something that I would say characterizes AMTSO all that well – as Lysa Myers has pointed out ‘AMTSO is made of people‘, and I think the generally negative tone employed is a shame. The first (Townsend) article is way more problematic; there’s just so much wrong with Mr Townsend’s thinking that I don’t really know where to start. Fortunately, Kurt Wismer has already done a great job of responding here, and David Harley an equally competent job here.

So why my response? Well, probably because I certainly am cantankerous.

I’m also, almost uniquely in this industry (David Harley is another), formerly one of those “users” that Mr Townsend is so adamant should be controlling the process of AMTSO’s output – indeed, the whole of AVIEN was set up in the year 2000 as an organisation of interested, non-vendor employed, users – albeit users who knew something about anti-malware issues. We were users responsible for protecting large enterprises, who wanted to be able to share breaking anti-virus information without the interference of Vendors or the noise of such cesspools as alt.comp.virus. We wanted good, reliable information.

I, like David Harley, later joined the industry as a Vendor, but I still understand what it is to be a user, and that was also a huge consideration in the setup of AMTSO – as so many have said before, and I want to reiterate here, bad testing of anti-virus products hurts everyone, the user most especially.

However, this debate is much more than just one on which we can ‘agree to differ’┬á – like whether Germany or Spain has the better football team might be – it’s much more fudamental than that.

Indeed, the only real analogy that comes close is that of the battle currently raging between the so called┬á faith based ‘science’ of creationists (let’s not prevaricate, Intelligent Design is just a euphemism for Creationism), and the research based science of evolutionary biologists and so on.

On the one hand, you have anti-malware researchers, professional testers and so on; people who study malware every day, who constantly deal with the realities of malware exploiting users, and who understand better than anyone the challenges that we face in tackling malware – if you like, the “Richard Dawkinses of anti-malware” (though I certainly would not claim to match his eloquence nor intelligence) –┬á and on the other hand, we have those outside the industry who say that we’re all wrong, that we’re just a “self-perpetuating cesspool populated by charlatans” (yet none the less, a cesspool at which the media feeds most voraciously), that nobody needs AV, and that everything the AV community does or says is bunk.

What I find so extraordinary (in both cases) is that those who are most in a position to provide trusted commentary on the subject are so ignored, in favour of those who have shrill, but ill-informed voices. Why is it that information from a tester; who may have just woken up one morning and decided to ‘test’ antivirus products; is taken on faith as being correct and true; and yet, when a group of professional people give up their time voluntarily, and work together to try to produce some documentation that sets out the ways in which anti-malware products can be tested effectively (and, no, that has nothing in particular to do with the WildList) and reliably, is it so violently decried as self-interested nonsense. It’s a terrible shame that science is so deliberately ignored in the face of popular opinion. Unfortunately, millions of people CAN be wrong, and often are.

AMTSO is not about dictating truth, but rather pointing out ways in which truth can be reliably found (and importantly, where it cannot).

I refuse to lie down and take it when someone tries to tell me that I’ve no right to point out the truth – and I’m not talking about truth based on some millenia old scripture, but real, hard, repeatable, scientifically verifiable, researched fact. If that makes me as unpopular as Richard Dawkins is to a creationist, then so be it.

If you’re interested in understanding why anti-virus testing is so important (and why so many professional testers participate in AMTSO) then, please, do have a read of the AMTSO scriptures er… documents, here.

Andrew Lee – AVIEN CEO, Cantankerous AV researcher.

* If you’ve not seen the excellent movie “Miller’s Crossing” you won’t know where that quote comes from.

(Thanks to Graham Cluley for pointing out that the first link didn’t go to the correct page.)

Brief hiatus

Our reader may note that it’s been quiet around here for a few weeks. Far from this being due to a lack of news, it’s rather that there have been a huge number of other things demanding time and attention. Not least of these is me trying to submit my master’s thesis on time, that and a few conferences, papers and other matters mean that we’re a little understaffed at AVIEN right now. Normal intermittent service should be resumed shortly.

Andrew Lee
AVIEN CEO / CTO K7 Computing