Risky Business #148 -- Good guys writing bad software
Fri, 04/16/2010 - 15:30
Topic Source:
On this week's show we have a chat to Paul Ducklin about what he sees as questionable ethics behind some mobile malware research.
Mon, 04/19/2010 - 03:55
#2
Song at the end?
What is that song at the end (~48min mark)?
Tue, 04/20/2010 - 11:23
#3
I don't really think I
I don't really think I "called him out" on anything, I just questioned his position. We ran an interview with Tyler Shields a few weeks ago in which he discussed his work on the BlackBerry stuff, so this was a bit of a counterpoint.
It's weird... I come from a background in print journalism. You'd always have to get the opposing points of view into the one story. With the podcast it's different -- you can run one view one week and another later, separately... keeps the debate rolling.
I don't entirely agree or disagree with Shields or Ducklin. I think they both make valid points.
P
Tue, 04/20/2010 - 11:27
#4
It's a remix of "Land
It's a remix of "Land Downunder" by Men At Work.
It's a bit of an Australian classic, remixed! This version was put together by Lawrence Kennedy.
You can visit his oh-so-tragic website here to download that track for free:
He just dropped off a fresh CD of stuff at RB HQ yesterday, so I plan to feature more of his tracks.
Kind of funny that the music that's generated the biggest response has been put together by Lozza -- he's a school teacher.
Thu, 04/22/2010 - 09:36
#5
Apologies for not seeing this
Apologies for not seeing this until now. Which questions did I "duck"? (Nice pun. Never heard that one before :-)
I am not against vulnerability research and the figuring-out of new exploits. This helps us improve by pointing out how things once assumed to be safe are not. That's why I described the work Dowd et al. as useful and desirable -- such work _is_ research, it is novel, and it advances the cause.
What I am against is people writing mobile malware and then crowing to the media that what they have done amounts to research. And I am surprised that any university would accept such work as research, especially at a postgraduate level.
Writing malware is not difficult. Writing malware is not novel, even for mobile phones. It proves or teaches nothing, except, of course, malware writing, something we could well do without.
Writing malware does not make you a security researcher any more than kicking a door in makes you a locksmith. Uncovering a new vulnerability, however -- well, that _is_ like picking a new sort of lock for the first time, and it does help us to learn and improve.
So, writing mobile malware is not equivalent to (nor it is a subset of) mobile vuln/exploit writing. The former is just media-friendly "hey look, I can write code, now I'm a self-styled security researcher" posturing, and we can jolly well do without it.
So there.
Regards,
Paul Ducklin
Ducklin ducked plenty of questions - the answers to which would have directly contradicted his view on the mobile vuln/exploit writing. The whole thing sounded like a PR guy crying about being behind on a certain platform and unable to keep up. He knows full well vuln/exploit writers/frameworks *push* vendors to *fix* issues ... otherwise he is supporting the very head-in-the-sand idea of obscurity and just hoping the bad guys don't figure things out (and of course they will; they always do). The Sophos link just ties it all together and makes his view very transparent and weak :(
Props to Patrick for calling out this guy and not letting him off the hook.