On Sat, Nov 28, 2015 at 5:28 PM, Mike Hoye <[email protected]> wrote:
> On 2015-11-28 2:40 PM, Eric Rescorla wrote:
>
>> How odd that your e-mail was in response to mine, then.
>>
>> Thanks, super helpful, really moved the discussion forward, high five.
Glad I could help.
To Ehsan's point that "malicious code here might look like this:
> console.log("success"); [and] It's impossible to tell by looking at the
> code whether that line prints a success message on the console, or
> something entirely different, such as running calc.exe." - that's true, but
> it also looks a lot like the sort of problem antivirus vendors have been
> dealing with for a long time now. Turing completeness is a thing, the
> halting problem exists and monsters are real, sure, but that doesn't mean
> having antivirus software is a waste of time that solves no problems and
> protects nobody.
>
Interesting you should mention antivirus. One of the advantages that
antivirus
manufacturers have is that they are able to deploy signatures for malware
which
is already in the wild, so that they get to update their virus signatures
after the
malware is already written, so they know that the fielded malware will be
detectable.
And even then, it's well-known that malware authors test their prototype
malware against existing antivirus packages, which is part of the reason for
the relatively low effectiveness of commercial antivirus packages against
novel malware [0]. The system we are discussing here is quite similar,
except
much easier for the attacker because there is only one scanner they need
to defeat and they can download it and try it for themselves.
> One key claim Stillman made, that " A system that takes five minutes to
> circumvent does not “raise the bar” in any real way", is perhaps true in an
> academic sense, but not in a practical one. We know a lot more than we did
> a decade ago about the nature of malicious online actors, and one of the
> things we know for a fact is the great majority of malicious actors on the
> 'net are - precisely as Jorge asserts - lazy, and that minor speedbumps -
> sometimes as little as a couple of extra clicks - are an effective barrier
> to people who are doing whatever it is they're about to do because they're
> bored and it's easy. And that's most of them.
>
This might be true or it might not. I'd be interested in seeing some
evidence that it is
in fact true, specifically, that the scanner catches a lot of malware, as
opposed to
just broken-ware. Do you have such evidence?
-Ekr
[0]
http://krebsonsecurity.com/2010/04/virus-scanners-for-virus-authors-part-ii/
_______________________________________________
dev-platform mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-platform
