.:Computer Defense:.

If one of my college professors stumbled across this post she'd probably have a heart attack, since she taught an entire course on ethics. Yet it seemed like the most appropriate title for this post.

Over years the years, how many countless inventions have improved mankind, yet have introduced a negative side effect? The gun provides a means to hunt and defend more efficiently, yet it also provides a means to kill with ease. The plane decreased travel times, then someone thought to attach a bomb and fly over a target. Water is a basic necessity to life and even it has been used for evil.

Now according to Kurt Wismer the inventors of these (we'll leave water out of this since I don't want to start a religious debate)  should feel responsible when they are used for evil. That means that the Wright Brothers should have felt shame every time a bomb was dropped from a plane. I can't help but feel that's more than a little preposterous.

This all stems from a post by Kaspersky researcher, Roel Schouwenberg, discussing the lack of ethics in certain researchers. It seems that Roel finds it irresponsible for PolyPack to be considered valid research, especially research coming from academia. Dave Maynor responded to the post with his own write-up and that prompted Kurt's response.

So what is PolyPack? It's a research project out of the University of Michigan which has created a frontend that allows you to submit binaries for testing. These binaries are packed with 10 different packers and tested against 10 AV Engines. I happen to think that this is a great project that serves to highlights the many shortcomings of signature based AV detection. I'm also not the only one that feels this way as the paper was selected to be presented at WOOT '09.

So what's the unethical part of this research project? If it's about the use of packers to bypass AV, then I have something to share with Kurt and Roel. That's not a secret! It's fairly well known... it was mentioned in PaulDotCom podcast #125 and I'm also pretty sure I've heard HD Moore mention it during a metasploit training session. So what's left? They haven't released some super secret l33t h4X0r script that will cause every computer in the world to simultaneously self destruct nor have they reprogrammed our TiVos to record nothing but soap operas. There's only one possible answer left, and it's the conclusion that Maynor reached... they're making signature based AV look bad.

So in the end, I pose the title of this post as a question to everyone. What is ethical? Is it ethical to release research that may be used for evil? Or is it more unethical to sit on that research and keep it private, waiting for the bad guys to stumble upon it for themselves? Although in this case, the bad guys are probably well aware of packers and this becomes somewhat of a moot point, in the end if they were really desperate they could even pack their binaries themselves and upload them to VirusTotal to see ho well they do.

So again I'll attempt to close out this article. What is ethical? Personally I think sharing your research and working towards the betterment of technology is ethical and that sitting back and waiting for the bad guys  to beat you to the punch is highly unethical.

I think that the Security Bloggers Network (SBN) is amazing, so please don't misinterpret this post... I've provided the domain for the website and host a mailing list (although it was infrequently used even during the 2 months when people used it). Yet I have to wonder if it is perhaps becoming a little too large and if it requires a filter.

I know there have been debates in the past over whether or not SBN was full of noise and you can't really debate that... but it's full of noise in the way that twitter is full of noise... most of the noise is useful.

Let's take a look at the BrickHouse Security blog... first it should be stated that BrickHouse is an online storefront selling GPS Trackers, Spy Equipment, etc. Now let's look at some of their recent blog posts...

Taconic Car Accident Tragedy Could Have Been Avoided with Technology- For anyone who hasn't read it, or can't guess from the title... it's a blog post about a woman dying in a car accident... at least the first two paragraphs are. The second two? A write-up on how if she'd had a GPS Tracker in her car, she'd still be alive... Wait! What does BrickHouse sell again? Oh yeah... GPS Trackers. <-- I hope other people's stomachs turned... because mine sure did.

How about this post, spread FUD explaining bump keys (first thought: "Wait.. hasn't this been discussed everywhere for a couple years now, why bring this up now?"). Then I reached the last two paragraphs that contained the solution to bump keys... Biometric Locks -- Conventiently sold by BrickHouse Security (including a link to them)... with the following text:

These tools are the first step towards having a secure home and for thwarting the steps criminals take to get around security measures. As long as homeowners are smart and realize the technology that is at their disposal, the bogeyman will fade away.

I see... they can protect me. After all, we've never, NEVER, never seen biometrics bypassed!

I honestly don't see any value add from blogs like this being included with in SBN.

A couple of weeks ago, I posted regarding the logs of some SSH bruce force attempts I had logged on my server, and was looking through. One of the comments was asking for geolocation of the IP Addresses. Tonight I decided to make use of the service available at ip2location.com and geolocate each of the IPs that I had. I'm actually fairly impressed with the service, you can do 20 lookups per IP per day unregistered and if you register you can do 200 lookups per IP per day. I registered and then pasted my entire list into a textbox they provide and it looked them all up at once and provided the results.

Here are the screenshots. It was a small set of IPs, but the top three countries were China, USA, Poland.