Viet-Justice

The Red Tape Chronicles is covering a story where Consumer Reports sponsored a throw down of Anti-Virus programs.  Consumer Reports is coming under fire from the anti-virus industry for writing viruses to test off the shelf software with.  The issue is that anti-virus programs only detect known viruses with any degree of reliability.  The general public typically does not understand this minor detail. They do detect new viruses using heuristics and other methods, but this method is not fully reliable.  To establish a baseline Consumer Reports had an independent security firm create 5500 new viruses to test with.

Antivirus Webzine Virus Bulletin whined the loudest as a result.

The antivirus community has always been very strongly opposed to the creation of new malware for any purpose,” wrote John Hawes, the technical consultant at antivirus Webzine Virus Bulletin. “There’s just no need for it. Plenty of new viruses are being written all the time, why would anyone in a responsible position want to add to the glut?”

Obviously Mr. Hawes does not know anything about the scientific method and controlled experiments.  Sure there are new viruses already out there, but if you don’t know they exist how do you know the software is effectively protecting the computer?

The antivirus industry has been very concerned with keeping their art a mystery.  Anyone who creates new viruses for any reason is considered bad for the industry.  One does not have to look too far to see that the antivirus companies are protecting their own interests.  One case that made headlines a few years ago was University of Calgary in Canada began teaching a course on viruses to their computer science students. The basis of the class is to write viruses and then write antivirus software to catch the work of your classmates.  Personally I would consider it no different than teaching lock picking to a class that will be designing the locks of the future.  You have to know all the techniques the bad guys use in order to craft an appropriate counter measure.

The Calgary program created quite a controversy with many US security software companies stating that they would not hire anyone who graduated from the university with a computer science degree since it would mean they have written viruses, never mind the context.  I find this viewpoint hypocritical at the very least.  It is well know that many security companies hire former black hat hackers.  The technicality is if you’ve never been convicted, nobody can prove that you are a criminal hacker and by virtue of turning away from “the dark side” you are now a good guy.  They don’t teach hacking in college so the only experience IT Security professionals are going to get is hacking or through an internship or mentorship program.

Consumer Reports is being roasted for the same reason.  If antivirus software were any good it would prevent all viruses, not just the known ones.  But McAfee and Symantec, plus a whole host of better solutions would not be able to charge a yearly subscription fee as easily if you didn’t constantly need their updates.  With organized crime and the jihad getting on board with hacking and virus writing I believe Consumer Reports is on target with their tests.  Profit is what motivates us, but a little innovation to provide consumers with better protection and the retirement of old and out dated business models would greatly enhance security.  McAfee and the antivirus industry are not putting virus prevention at the top of their priority list.