My ISSA paper was just accepted as a full research paper. The comments were pretty good too, of course I am only quoting the good bits, but:

Excellent insight shown, well researched, very relevant topic.

The paper presents an interesting and well-written discussion, which is extensively supported by references to existing literature.

Reviewer one had mostly grammatical corrections, but reviewer two built some positive arguments against some of my points, which is always a good sign of a thoughtful reviewer and meaty arguments. I think I can rebut them pretty easily and will add them to the paper.

Rhodes is sending down a well sized phalanx of presenters, and I will be proudly representing my company. I can't wait. I just hope those lazy Sensepost bums contribute something this year, instead of recruiting ;)

If you follow these kinds of things, you will realise that AV technology is getting worse not better at protecting you from malware. Case in point, yesterday I downloaded a file from a rather dubious site. I checked it out with ClamAV and McAfee and both gave it a clean bill of health. On running it and monitoring it's progress with process explorer I realised pretty quickly that it was malicious. I submitted it to VirusTotal and it was found to be malicious by only 3 scanners (all free, none of the 'big vendors' detected it) and at least two looked to be using heuristics to make that analysis.

Now it seems the automated classification debate is heating up with Havlar's recent work, and now Microsoft's Anti-Malware team (and Havlar's response).

Noam Epple of Vivica Information Security Inc. believes the info sec community has failed. Understandably, I take issue with this. Thomas Ptacek has a nice reply which highlights the mistake Noam has made: You can't look at every problem and claim that security has failed, if there is an effective defence. You can claim there are a lot of people being dumb and not using the defence, but we knew that already, hence our continued employment.

To provide an analogy, if I said that physical lock security has failed due to the number of thefts reported each year, I would be fiddling the stats. A meaningful stat would be to look at the number of thefts that occurred in situations where the goods had been properly secured.

This is not to say every security problem has been solved, but rather that a claim of "Complete, Unquestionable, and Total" failure is overblown to say the least.

I think there is an interesting correlation between the number of adjectives used in a story title and the quality of an article :)

This whole creationism vs evolution thing is silly. It is mostly a false argument sent to get people all riled up instead of focussing on God. I take the Catholic stance on the matter, advocated by Pope Pius XII in his 1950 encyclical Humani Generis, with a few points:

• Scripture does not contradict evolution. Read.
• Scripture is very nuanced and should not all be interpreted literally. Read.
• Evolution is a very broad list of topics, be specific. Read.
• Evolutionary theory has the scientific upper hand. Always check the claims of creationists at Talk origins.

Many anti-virus vendors take a black list approach: a huge list of 'naughty' files is drawn up and those naughty files are prevented from running on your machine.

The problem with this is to make the list the naughty files need to be found and analysed, then the list needs to be updated and sent all over the world. So, the easy attack is to make it difficult to find and analyse the files. For example the hacker defender project used to sell a customised version of their trojan. That way it would be difficult to find (if used in a targeted attack) and the analysis would only affect that version keeping the other versions undetected. Another example are the thousands of variants some malware has e.g. NetSky, MyDoom and Mytob.

A much better way of doing this would be to use a whitelist. Now, making a whitelist of allowed programs requires too much customisation, so a white list of behaviours is used instead. Many AV products are pretty bad at this. To test your products functionality, some ISC handlers have created Spycar. This provides some binaries which perform benign versions of naughty behaviours to see if your AV can pick them up. The name is a reference to the naughty file test suite EICAR.

While you're at it, check out the free Windows behaviour-based protection tool, WinPooch.