my original stance on polypack was based solely on what was written about it because the site was nonfunctional at the time. my opinion changed when it came back and i found out it was closed to the public. i don't know, however, if it had always been closed to the public or if that was a reaction to the negative publicity it was receiving.

The whole reason this is even a story is because someone out there making piles of cash from signature-based anti-virus got offended and thought it best to vilify the people, rather than to accept criticism… that's my guess…

that IS server-side polymorphism with malware q/a

"once again, they only thing they have done is prove that signature based AV is ineffective in even the most basic of circumstances."

once again, as pointless as proving water is wet – you said so yourself, this fact is already known, therefore it doesn't need to be proven ad infinitum by every tom, dick, and harry security researcher.

"There's no strawman argument here, because their research is on par with the airplane and not with the atomic bomb."

a) the einstein reference was to compare people, not projects (which is good since einstein didn't actually work on the bomb, the bomb was a consequence of his work). einstein had the good sense to feel responsible for how his work was misused. creators feel responsibility for their creations, it's natural and appropriate.
b) can you really not see how comparing airplanes (which have many good uses) with crimeware-as-a-service implementations (which have absolutely no good uses) is an apples to oranges comparison? that is where you mis-characterized my argument and thus where the strawman lies.

"There's no need to feel guilt and no unreasonable negative impact. "
no need to feel guilt YET. and who gets to say what a reasonable negative impact is? who are you (or i, or anyone in the security field) to say X number of victims were acceptable losses to prove a point? who are we to decide what kind of sacrifices are reasonable for the entire population?

the fact that you (and so many others) think this point (about AV) is worthwhile to make points to a profound misunderstanding of what's going on. you all think you're disproving the AV industry's message, but in reality you're disproving the message of the marketing arm of the AV industry. the distinction is incredibly important for 2 reasons: 1) your counter arguments will only be seen by a select few (you're not going to get buy-in from the population at large) and 2) marketing is not bound by the same constraints you are. marketing messages are inherently unbalanced messages intended exclusively to sell product and build brand – they don't care about technical accuracy and so all you folks trying to prove that message wrong are effectively tilting at windmills. the message won't change in response to projects like this – it will only change in response to market forces and the biggest influence on those (after marketing messages themselves) is the customers' individual performance experiences (and even then it's more likely that the technical aspects of the product will change as opposed to changing the marketing message – hence the increasing adoption of behavioural technologies in AV products).

on top of that, the arguments meant to disprove the AV marketing message are equally unbalanced in the opposite direction (which is why, for example, whitelist vendors' marketing departments use the same arguments).

as such, folks trying to prove this point about AV need to figure out what their real goal is, beyond just proving a point because (as the leader of the human resistance in the matrix said) there's no point in it.

There's no strawman argument here, because their research is on par with the airplane and not with the atomic bomb. There's no need to feel guilt and no unreasonable negative impact.

i'm sure you're aware that the polypack project was more than just a paper, they put an actual service online that provided server-side polymorphism and malware q/a features. you compared that with an airplane, bravo.

the airplane had a legitimate beneficial use that was apparent even before the first one got in the air. a crimeware-as-a-service implementation does not. you might argue that it's beneficial use is in proving a point, but as you so eloquently pointed out the fact that av can be bypassed in this way is already known so proving this point is as pointless and proving water is wet.

oh, and while i'm on the subject of strawmen – shame? shame!?! guilt is the appropriate emotional response when you're responsible for something bad happening to other people. shame/embarrassment may seem superficially similar to guilt, but they lack the requisite sense of responsibility. you don't seem to think an inventor should bare responsibility for the misuse of his/her invention, however, thus making shame seem like the more appropriate response. i could mention einstein's deep remorse over his role in the atomic bomb, but that would just be an appeal to authority. instead i'll just have to wonder about your own sense of responsibility for your direct *and* indirect impact on the world.