What is Ethical?
If one of my college professors stumbled across this post she'd probably have a heart attack, since she taught an entire course on ethics. Yet it seemed like the most appropriate title for this post.
Over years the years, how many countless inventions have improved mankind, yet have introduced a negative side effect? The gun provides a means to hunt and defend more efficiently, yet it also provides a means to kill with ease. The plane decreased travel times, then someone thought to attach a bomb and fly over a target. Water is a basic necessity to life and even it has been used for evil.
Now according to Kurt Wismer the inventors of these (we'll leave water out of this since I don't want to start a religious debate) should feel responsible when they are used for evil. That means that the Wright Brothers should have felt shame every time a bomb was dropped from a plane. I can't help but feel that's more than a little preposterous.
This all stems from a post by Kaspersky researcher, Roel Schouwenberg, discussing the lack of ethics in certain researchers. It seems that Roel finds it irresponsible for PolyPack to be considered valid research, especially research coming from academia. Dave Maynor responded to the post with his own write-up and that prompted Kurt's response.
So what is PolyPack? It's a research project out of the University of Michigan which has created a frontend that allows you to submit binaries for testing. These binaries are packed with 10 different packers and tested against 10 AV Engines. I happen to think that this is a great project that serves to highlights the many shortcomings of signature based AV detection. I'm also not the only one that feels this way as the paper was selected to be presented at WOOT '09.
So what's the unethical part of this research project? If it's about the use of packers to bypass AV, then I have something to share with Kurt and Roel. That's not a secret! It's fairly well known... it was mentioned in PaulDotCom podcast #125 and I'm also pretty sure I've heard HD Moore mention it during a metasploit training session. So what's left? They haven't released some super secret l33t h4X0r script that will cause every computer in the world to simultaneously self destruct nor have they reprogrammed our TiVos to record nothing but soap operas. There's only one possible answer left, and it's the conclusion that Maynor reached... they're making signature based AV look bad.
So in the end, I pose the title of this post as a question to everyone. What is ethical? Is it ethical to release research that may be used for evil? Or is it more unethical to sit on that research and keep it private, waiting for the bad guys to stumble upon it for themselves? Although in this case, the bad guys are probably well aware of packers and this becomes somewhat of a moot point, in the end if they were really desperate they could even pack their binaries themselves and upload them to VirusTotal to see ho well they do.
So again I'll attempt to close out this article. What is ethical? Personally I think sharing your research and working towards the betterment of technology is ethical and that sitting back and waiting for the bad guys to beat you to the punch is highly unethical.
congratulations on constructing such an effective strawman ( http://en.wikipedia.org/wiki/Straw_man )
i'm sure you're aware that the polypack project was more than just a paper, they put an actual service online that provided server-side polymorphism and malware q/a features. you compared that with an airplane, bravo.
the airplane had a legitimate beneficial use that was apparent even before the first one got in the air. a crimeware-as-a-service implementation does not. you might argue that it's beneficial use is in proving a point, but as you so eloquently pointed out the fact that av can be bypassed in this way is already known so proving this point is as pointless and proving water is wet.
oh, and while i'm on the subject of strawmen – shame? shame!?! guilt is the appropriate emotional response when you're responsible for something bad happening to other people. shame/embarrassment may seem superficially similar to guilt, but they lack the requisite sense of responsibility. you don't seem to think an inventor should bare responsibility for the misuse of his/her invention, however, thus making shame seem like the more appropriate response. i could mention einstein's deep remorse over his role in the atomic bomb, but that would just be an appeal to authority. instead i'll just have to wonder about your own sense of responsibility for your direct *and* indirect impact on the world.
They put out a service that takes a binary, packs it with 10 packers, and tests it against 10 AVs… once again, they only thing they have done is prove that signature based AV is ineffective in even the most basic of circumstances.
There's no strawman argument here, because their research is on par with the airplane and not with the atomic bomb. There's no need to feel guilt and no unreasonable negative impact.
"They put out a service that takes a binary, packs it with 10 packers, and tests it against 10 AVs.."
that IS server-side polymorphism with malware q/a
"once again, they only thing they have done is prove that signature based AV is ineffective in even the most basic of circumstances."
once again, as pointless as proving water is wet – you said so yourself, this fact is already known, therefore it doesn't need to be proven ad infinitum by every tom, dick, and harry security researcher.
"There's no strawman argument here, because their research is on par with the airplane and not with the atomic bomb."
a) the einstein reference was to compare people, not projects (which is good since einstein didn't actually work on the bomb, the bomb was a consequence of his work). einstein had the good sense to feel responsible for how his work was misused. creators feel responsibility for their creations, it's natural and appropriate.
b) can you really not see how comparing airplanes (which have many good uses) with crimeware-as-a-service implementations (which have absolutely no good uses) is an apples to oranges comparison? that is where you mis-characterized my argument and thus where the strawman lies.
"There's no need to feel guilt and no unreasonable negative impact. "
no need to feel guilt YET. and who gets to say what a reasonable negative impact is? who are you (or i, or anyone in the security field) to say X number of victims were acceptable losses to prove a point? who are we to decide what kind of sacrifices are reasonable for the entire population?
the fact that you (and so many others) think this point (about AV) is worthwhile to make points to a profound misunderstanding of what's going on. you all think you're disproving the AV industry's message, but in reality you're disproving the message of the marketing arm of the AV industry. the distinction is incredibly important for 2 reasons: 1) your counter arguments will only be seen by a select few (you're not going to get buy-in from the population at large) and 2) marketing is not bound by the same constraints you are. marketing messages are inherently unbalanced messages intended exclusively to sell product and build brand – they don't care about technical accuracy and so all you folks trying to prove that message wrong are effectively tilting at windmills. the message won't change in response to projects like this – it will only change in response to market forces and the biggest influence on those (after marketing messages themselves) is the customers' individual performance experiences (and even then it's more likely that the technical aspects of the product will change as opposed to changing the marketing message – hence the increasing adoption of behavioural technologies in AV products).
on top of that, the arguments meant to disprove the AV marketing message are equally unbalanced in the opposite direction (which is why, for example, whitelist vendors' marketing departments use the same arguments).
as such, folks trying to prove this point about AV need to figure out what their real goal is, beyond just proving a point because (as the leader of the human resistance in the matrix said) there's no point in it.
Thought-provoking although I seem to be of the school of thought that unethical tends to apply to anything that has a malicious *intended purpose*. It's certainly unethical to write purposeful malware – but it is not, in my opinion, unethical to write a well-controlled test-harness (which is what PolyPack is) for the sake of proving dinosaur technologies which people rely on for "security" as useless.
The whole reason this is even a story is because someone out there making piles of cash from signature-based anti-virus got offended and thought it best to vilify the people, rather than to accept criticism… that's my guess…
while intentionally malicious actions certainly fall under the heading of unethical, the are not the only things to do so. willful negligence does as well – and were polypack open to the public it would qualify.
my original stance on polypack was based solely on what was written about it because the site was nonfunctional at the time. my opinion changed when it came back and i found out it was closed to the public. i don't know, however, if it had always been closed to the public or if that was a reaction to the negative publicity it was receiving.