SkyOut now invites 24C3 conference attendees to participate in a more down-to-earth discussion which starts with insight into relation between AVs and VXers.
Ok, we have a lot of time, so we can have a little discussion if you want.
– So, first question would be: in the beginning and the end you told us what you were going to talk about, which is, why coding viruses isn’t a bad thing, at least not necessarily. But the whole talk wasn’t about this. So I still don’t know… if you code, if you’re a hacker or something in this particular view of writing viruses, I understand that writing proper, writing good, writing elegant code shows some kind of skill, which is control of the language on a hopefully high level. But first thing I don’t get is what is the equivalent for social engineering, I mean, what skills do you show to manipulate people, to trick people, to kind of misuse the web of trust in our day-by-day interactions with a person. What are the skills you prove when you do social engineering for, like, spreading viruses?
– Well, you mean, what is the skill of doing social engineering? Well, isn’t social engineering a skill? I mean, you can use social engineering for coding viruses; your virus gets better when you’re better at social engineering.
– I’m not asking what’s the use of social engineering; I mean, what is the benefit, what personal capability do you prove when you do social engineering, besides tricking people?
– I think you prove that you understand how people think and act. Maybe I should say what I imply when I say ‘social engineering’. Social engineering is understanding how people think and act, and making yourself react to those things.
– Ok, got this one. Second one will be about your best case scenario for the interaction of writing viruses and the antivirus companies. Your best case scenario was: you write a virus, send it to the company, and the company spreads the patches and signatures to its customers. Isn’t this basically like protection money earning? Basically it means that everyone who can afford protection gets it, and the people writing viruses profit from it, and the company profits from it; but all the people not paying money for it suffer the consequences, which you put into the terms of stupidity. Of course, a lot of people have stupid behavior with computers, but those people maybe pay money too, and they don’t suffer the consequences. Are you sure this is the best case scenario?
– Don’t you think it’s the best case scenario, or what?
– Depends on whether you can afford the updates.
– More questions?
– Hello. At the beginning of your speech you mentioned that the VXers don’t want to spread viruses and you don’t even make binaries of them. So, the question is: why do you have troubles, if what you said is true, with the antivirus companies?– Well, I would say it’s very simple to make a binary virus out of source code, so many AV companies think: “Hey, they show their source code and many people can just take this source code and make a binary virus.”
And that’s the problem: we, the VXers, just code a virus to show the source code and to conduct knowledge exchange; we don’t want to harm anybody. But there are those criminals who can really take our source code, put it in their viruses and spread it. It often happened in the past: like, if a great idea occurred to a VXer – how to spread a virus, he never wanted to spread it; but then a criminal took this idea, coded it into his own virus and started spreading it. So, what the AVs don’t like about us is that we show new ways to spread viruses, and thus we make their life harder: we show techniques how to hide your virus from the AV program – they really don’t like this. They don’t want to have people who show how to hide a virus. They don’t want to have people who show new techniques.
Of course, for us it means making security better. It’s like with hacking: when you show a new vulnerability, you normally, as a whitehat, want to make the system more secure. It’s like a VXer: he shows a new way to spread a virus and wants to make the AVs react, but they don’t like this. They don’t want new problems all the time. Is this what you mean?
– This sounds like some hypocritical organized crime, because you help them by giving away your source code, they make money with viruses, because if they wouldn’t, they wouldn’t have any job, but still they attack some of you. Don’t you think this is, first of all, unfair?
– Well, it’s a bit similar to the question if we should release vulnerabilities, isn’t it? I mean, if we now make a relation to hacking, we have it quite similar: in VX world we have people who write a new virus and show the source code, and others can take it to really spread it. In hacking you have found a vulnerability in whatever, e.g. Apache web server, and now it is the question: whether you really release this vulnerability and then people could take it, of course, to attack an Apache web server, or you don’t release this vulnerability.
Now here’s the question: you for yourself must be sure if you want to make it full disclosure, or not. And most VXers are for full disclosure, so they think: “By showing those viruses we make security better, and, of course, it’s fun.” Really, sometimes it’s simply just fun. They want to piss the AV off a bit and make their life harder, because the AV companies have done a lot to break us down, and so sometimes we just get angry and code viruses to make their life harder.
– I don’t think that antivirus companies are upset by you; I think, without people like you they wouldn’t exist. They depend on you.
– Yeah, that’s interesting, many people think so. Well, without us there would still be the criminals, of course, but the criminals might not find such techniques. Well, it depends; I think criminals can also find new techniques, new things to make viruses better, so I think it could work without us, but it’s more interesting with us. You make their life harder, they have something to do, you do some work – great!
Read previous: VX – The Virus Underground 4: Problems of the VX Scene