congratulations on finding a way to live your dream

while intentionally malicious actions certainly fall under the heading of unethical, the are not the only things to do so. willful negligence does as well - and were polypack open to the public it would qualify.

my original stance on polypack was based solely on what was written about it because the site was nonfunctional at the time. my opinion changed when it came back and i found out it was closed to the public. i don't know, however, if it had always been closed to the public or if that was a reaction to the negative publicity it was receiving.

"They put out a service that takes a binary, packs it with 10 packers, and tests it against 10 AVs.."

that IS server-side polymorphism with malware q/a

"once again, they only thing they have done is prove that signature based AV is ineffective in even the most basic of circumstances."

once again, as pointless as proving water is wet - you said so yourself, this fact is already known, therefore it doesn't need to be proven ad infinitum by every tom, dick, and harry security researcher.

"There's no strawman argument here, because their research is on par with the airplane and not with the atomic bomb."

a) the einstein reference was to compare people, not projects (which is good since einstein didn't actually work on the bomb, the bomb was a consequence of his work). einstein had the good sense to feel responsible for how his work was misused. creators feel responsibility for their creations, it's natural and appropriate.
b) can you really not see how comparing airplanes (which have many good uses) with crimeware-as-a-service implementations (which have absolutely no good uses) is an apples to oranges comparison? that is where you mis-characterized my argument and thus where the strawman lies.

"There's no need to feel guilt and no unreasonable negative impact. "
no need to feel guilt YET. and who gets to say what a reasonable negative impact is? who are you (or i, or anyone in the security field) to say X number of victims were acceptable losses to prove a point? who are we to decide what kind of sacrifices are reasonable for the entire population?

the fact that you (and so many others) think this point (about AV) is worthwhile to make points to a profound misunderstanding of what's going on. you all think you're disproving the AV industry's message, but in reality you're disproving the message of the marketing arm of the AV industry. the distinction is incredibly important for 2 reasons: 1) your counter arguments will only be seen by a select few (you're not going to get buy-in from the population at large) and 2) marketing is not bound by the same constraints you are. marketing messages are inherently unbalanced messages intended exclusively to sell product and build brand - they don't care about technical accuracy and so all you folks trying to prove that message wrong are effectively tilting at windmills. the message won't change in response to projects like this - it will only change in response to market forces and the biggest influence on those (after marketing messages themselves) is the customers' individual performance experiences (and even then it's more likely that the technical aspects of the product will change as opposed to changing the marketing message - hence the increasing adoption of behavioural technologies in AV products).

on top of that, the arguments meant to disprove the AV marketing message are equally unbalanced in the opposite direction (which is why, for example, whitelist vendors' marketing departments use the same arguments).

as such, folks trying to prove this point about AV need to figure out what their real goal is, beyond just proving a point because (as the leader of the human resistance in the matrix said) there's no point in it.

congratulations on constructing such an effective strawman ( http://en.wikipedia.org/wiki/Straw_man )

i'm sure you're aware that the polypack project was more than just a paper, they put an actual service online that provided server-side polymorphism and malware q/a features. you compared that with an airplane, bravo.

the airplane had a legitimate beneficial use that was apparent even before the first one got in the air. a crimeware-as-a-service implementation does not. you might argue that it's beneficial use is in proving a point, but as you so eloquently pointed out the fact that av can be bypassed in this way is already known so proving this point is as pointless and proving water is wet.

oh, and while i'm on the subject of strawmen - shame? shame!?! guilt is the appropriate emotional response when you're responsible for something bad happening to other people. shame/embarrassment may seem superficially similar to guilt, but they lack the requisite sense of responsibility. you don't seem to think an inventor should bare responsibility for the misuse of his/her invention, however, thus making shame seem like the more appropriate response. i could mention einstein's deep remorse over his role in the atomic bomb, but that would just be an appeal to authority. instead i'll just have to wonder about your own sense of responsibility for your direct *and* indirect impact on the world.

i think the question needs to be asked, what exactly are you expecting SBN to do and how are you trying to use it?

i think it probably serves as a wonderful showcase for security blogs, but i would never actually subscribe to the SBN feed - rather i would subscribe to individual blogs from within the security bloggers network. tastes in blogs are too individual for a one-size-fits-all feed.

i would have to agree - if the mythbusters foiling fingerprint readers with photocopies hasn't already killed fingerprint biometrics (and it hasn't), then fingerprint alteration certainly won't.

when it comes to biometric authentication, people always want non-invasive techniques (like fingerprints) in spite of the fact that biometric data that can be captured non-invasively is inherently easy to capture and reuse fraudulently.

when it comes to biometric identification, fingerprints are one of the easiest and most likely things to get damaged. heck, they can even be temporarily modified with a bic lighter (which i found out quite by accident when i was younger).

"But I think that only goes so far as people who shouldn't know better, such as marketing folks for vendors and so on. "

should marketing folks be at a security conference unescorted? should they be on the road without having had adequate defenses setup by their respective company's security folks before they left?

"Nonethless, that should *not* diminish how wrong it was for eSentire to do this and SecTor to advance that one wireless network was secure (or fully secured or however the message was taken)."

the wireless was secure. however there is obviously a disconnect between how wireless works and how people think wireless works. wireless only replaces the network cable connecting the computer to the network - there's more to a network than just those particular cables. the wireless (the encrypted one anyways) was secure, but the network it connected to was not - nor was there a reasonable expectation that it could be in that sort of environment. physical access control to hardware and wiring in a public space? highly dubious at best.

while (as andrew is already aware) i have penned a post critical towards those caught on the wall, i too think that esentire was in the wrong (if not legally then certainly ethically). i just don't think either side in this controversy is without some measure of blame.

acting like a bad guy even at the most conceptual level is very close to crossing the line (it's a very fine line between acting bad and being bad) and the vendor should have taken a great deal more care to not cross it.

but the protective measures that would have saved the victims the humiliation of finding themselves on the wall of shame are the same measures they should be practicing in places like their hotel rooms, the airport, etc. whatever you may think about sector and the people organizing it, it wasn't held in some magic fantasy land, it was held in the real world and the real world has bad people in it. bad people don't care about things like professional courtesy or keeping non-threatening environments safe. since one should already be practicing self-defense on other public networks where there is no legitimate expectation of safety i see no reason why one would or should let those defenses down at the conference.

i think this episode serves as a valuable object lesson to people, and while i'm sure it's no fun being the object in an object lesson at least your pain can serve a greater good. law enforcement should deal with the legality of what the vendor did, collectively we all will deal with the vendor's ethical breach in one way or another (if the world is a just one then i expect they'll lose some business over it), and individually the victims should take personal responsibility for their own failures.

ok, so they used more than a year's worth of downtime for that 100 minute window - how much downtime did they have last year? or the year before that, or the year before that?

was the 99.99% figure qualified as being for this year only, or was it unqualified and thus possibly referring to overall uptime for the life of the service?

'rogueware' IS malware. it's malware that benefits from the ill-conceived anti-malware marketing of the past (and sometimes present) in that people have learned to implicitly trust anything that claims to be a security app. which sort of means that the anti-malware industry (or at least their marketing departments) built the market for this malware.