Saturday, May 03, 2008

race to zero is no pwn2own

from mike rothman on the race to zero controversy:
It's like the PwnToOwn context at CanSec. Some folks will find some interesting holes and the vendors will patch them. Same deal here.
simply put, modifying known malware so that it no longer resembles known malware closely enough for anti-malware products to recognize it is not the same as finding new software flaws that need to be fixed...

with an infinite number of possible modifications, it's technically impossible for known-malware scanning producers to anticipate them all so they stay out of the pointless business of anticipating them entirely... as such failing to anticipate the ones used in this contest doesn't represent a flaw that needs to be fixed anymore than failing to read minds does... dealing with the new/unknown threats is the job of other technologies like behaviour-based HIPS (which i've already shown is available from a surprising number of traditional av vendors)...

coming from the guy who put me on to the phrase "mismatched expectations", this incite was a little off... but i guess i should expect as much when the prevailing wisdom in the security industry can't distinguish between malware research issues and vulnerability research issues...

all in all, the race to zero contest is really nothing like pwn2own... it's more like a cross between anti-virus fight-club and the consumer reports fiasco...

0 comments: