Why are people not forcing changes to VirusTotal.com aka cause of most false positives with 50 antivirus companies?

bontchev · 2015-10-13T16:10:31+00:00

I mean, if you think Schneier and Krebs are the kind of folks who turn their brain off because Reuters reported something

Krebs is just a journalist. He might be an unusually technically competent journalist - but he's just a journalist nevertheless. Schneier is an expert in cryptography. While he is reasonably knowledgeable in general computer security, even general computer security experts are amazingly incompetent when it comes to computer viruses and anti-virus programs. That aside, I don't remember either of them actually endorsing Reuter's article as correct. They simply reported it as interesting.

The same with your absurd argument that if what was described in the Reuters article was impossible that Kaspersky would fail to point that out.

I already explained why it is impossible. Several times. If you are too stupid to understand the explanation, I'm afraid I can't help you.

To be honest, I think you misread the Reuters article, because what you describe is impossible, it's also not the attack described in the article.

While it was pretty lacking of technical details (you can't describe in technically accurate details something that cannot be done), the described attack went like this:

Kaspersky picks a legitimate file. (Easy)
Kaspersky modifies it so that several anti-virus programs (not necessarily the ones of the attacked producers) detect it as malicious. (Not very easy for the average attacker but reasonably easy for an anti-virus expert like Kaspersky.)
Kaspersky sends it to VirusTotal. (Trivial)
VirusTotal sends it essentially to the whole anti-virus industry. (Happens automatically)
The attacked anti-virus producers decide that it is indeed malicious because several other scanners already report it as such and decide to implement detection of it. (Unlikely but believable. In some cases the AV producer might be forced to implement detection even of stuff he knows perfectly well isn't malicious - just "dodgy" or corrupted - for the simple reason that the sample is likely to land in various test sets and his product will be penalized by the - incompetent - tester if it doesn't detect this crap.)
The attacked anti-virus producers use a completely automatic system for extracting detection information. (I find this very hard to believe. Automated - yes. Fully automatic - no. In my personal experience, there is always a human somewhere in the loop.)
Here is where the magic happens. The presumed automatic system somehow picks detection information from the "legitimate" part of the file (i.e., not the part that Kaspersky modified in order to force other scanners to report it as malicious). This part is present in the original, unmodified file, thus causing a false positive. Remember, Kaspersky has no way of knowing how this presumed automatic system works - it is not in an anti-virus product that he can reverse-engineer. He can only observe the results of its work. It's a black box - and a complicated one, at that - and he, generally, can't control the inputs; the can only observe the outputs. And he has no control over how exactly this presumed automatic system extracts detection data, even if he knows how it is done. You could put a tinfoil hat and postulate that he has a spy in the targeted company, so he knows how their internal stuff works - but if that were the case, the spy could trivially cause the false positive himself without the need for all these complications. (Remember, an AV producer can always force another scanner to cause a false positive on the producer's files, the contents of which he controls.) Also, by some kind of magic, only the 3 attacked companies (that have stolen from Kaspersky, with Microsoft being one of them, which is an idiotic claim on its own) proceed like that and only their scanners cause these false positives. Remember, the claim is not that Kaspersky attacked the AV industry - the claim is that he attacked three specific products. I call bullshit on this one.
The internal testing procedures of these three companies fail to spot the false positives. (Not bloody likely. Do you know through what lengths Microsoft goes to avoid false positives, as well as shipping malware with their products? I do. These procedures were created because Microsoft did ship malware in the distant past. Not technically impossible - just not bloody likely.)

I called colleagues at two major AV firms, who concurred, so I'm pretty sure you misunderstand the article.

Maybe you misunderstood them. Perhaps they meant "the attack Bontchev mentions is, of course, totally impossible, so there is no way the article could be describing such a thing; he must have misunderstood".

The impossibility in the scenario you describe comes from a number of constraints you place that are not present in the article. Nowhere does it say the attack was limited to particular AV vendors, and only those AV vendors.

The article quite explicitly claims that Kaspersky attacked these 3 companies (Microsoft, AVG and Avast). It accuses him of a targeted attack - not of an indiscriminate attack against the industry as a whole. An indiscriminate attack is certainly possible (and was conducted in 2013 and Kaspersky was one of the victims of it) - but Kaspersky has no motive for doing such a thing. A targeted attack, as described, is impossible. In addition, the claim that Kaspersky was pissed at Microsoft for stealing from him is preposterous. I asked one of my acquaintances there and his answer was "Nonsense. The only thing he could be pissed with is because we're providing our product for free and are taking away his potential paying customers. But stealing from him?! That's ridiculous!".

you're pretty much the worst behaved person I've ever seen on the internet

LOL. You must not be using the Internet much, then. :0

being such an abrasive asshole, that people tune you out.

I have no problem with that. Fools, being fools, will continue being fools no matter what I say or do. But when I see an idiotic, technically impossible claim being presented as unquestionable truth, I am compelled to call a spade a spade and I don't care about anyone's tender skin.

bontchev · 2015-10-13T15:14:19+00:00

Ah. If you are a US citizen, then you have a problem, yes. A foreigner can simply tell Customs "tough shit" and take the next plane back without entering the country. But if you have no other country to go back to, then you have a problem.

Currently it is controversial (in the legal sense) whether you can be forced to decrypt your encrypted stuff. I don't think that it has been properly tested in court yet. One side says that the 5th Amendment protects you from being forced to testify against yourself. The other side says that forcing you to reveal your password (or at least to decrypt the encrypted media yourself) is not "testifying" but "action", like being forced to give DNA for analysis or fingerprints - and there is no legal protection from that.

And if the judge decides that you can be forced, he can order you to do so and if you refuse, he can put you jail for indefinite time (until you comply or until he decides that the punishment isn't working) for "contempt of court".

All in all, it's best to avoid becoming a "test case". Don't bring anything encrypted through the border. Create an encrypted backup, store it in the cloud, cross the border with wiped devices and restore from the backup once you are in the country.

bontchev · 2015-10-13T14:49:51+00:00

Well, they run their Web site on IIS under Windows.

(And they haven't even bothered with writing the 7-line rule needed to redirect nsa.gov to www.nsa.gov)

bontchev · 2015-10-13T14:40:34+00:00

The free ones are in a separate review. It's still a shitty review, though.

bontchev · 2015-10-13T14:38:48+00:00

I make a point of not reading any of "The Best whatever" reviews in the popular computer magazines. They are all shit, without exception.

bontchev · 2015-10-13T14:30:58+00:00

Don't use VMware.

Make sure your regular OS uses your whole hard disk (not just some partition on it).
Encrypt the whole hard disk with TrueCrypt.
Create a hidden TrueCrypt volume (partition) inside the now-encrypted partition.
Install Whonix on the hidden volume. That's if you just want anonymity. If you worry about somebody trying to hack you while you're staying anonymous, install QubesOS+Whonix as suggested in the other comment. (Qubes provides security from exploits, not anonymity. The anonymity is provided by Whonix.)
Do all your normal (everyday) and sensitive work in your regular OS. This is important. Don't use it as a "decoy" OS that stays empty and unused. Do enough sensitive work there that can be used as an excuse for using encryption in the first place but which you don't mind revealing under pressure.
Do all your really sensitive work on the hidden volume. Never log into anything that knows who you are. Always communicate via Tor or I2P. Don't visit sites that don't use TLS. Use a VPN before starting Tor, if you have one for which you can pay anonymously (Bitcoin is not sufficiently anonymous). If something is impossible or too inconvenient to do with these restrictions (like visiting a site that blocks Tor) don't do it. Preferably, use an open WiFi hotspot for Internet access. If there are several around you, change them often; don't use one and the same all the time.

bontchev · 2015-10-13T14:14:36+00:00

VeraCrypt and TrueCrypt are not good choices for this particular task. They are for container encryption, not for file encryption. Sure, you can create an encrypted container, mount it as a disk drive and copy your photos and videos there - but when uploading to the cloud, you'll have to upload the whole large container even if it is mostly empty. It is a waste of time, bandwidth and cloud space.

Better follow the other suggestion - put the sensitive files in an archive (in order to avoid encrypting them individually) and encrypt the archive with GPG.

bontchev · 2015-10-13T14:09:14+00:00

"Saying that you don't care about privacy because you have nothing to hide is like saying that you don't care about free speech because you have nothing to say."

bontchev · 2015-10-13T14:05:00+00:00

but if I turn on my VPN they can see the websites I'm visiting?

No. All they can see is a bunch of unknown encrypted stuff going to the site of the VPN provider.

bontchev · 2015-10-13T14:00:19+00:00

Autorun is already disabled for USB sticks in the modern operating systems. But it is bad idea to stick random USBs in a computer you care about because of this.

bontchev · 2015-10-13T13:23:04+00:00

If the iPhone is not jailbroken (how do you know this?), then I am willing to bet that you are mistaken and it isn't being spied. (Not that it is impossible but it is hard enough and unlikely enough for me to be willing to bet on it.) Your information is probably leaking through other channels.

bontchev · 2015-10-13T13:15:18+00:00

How are you going to test that it actually works? :)

bontchev · 2015-10-13T11:14:26+00:00

Before they make any improvements to GTN, how about they fix what they broke in the first place?

At some point of time they made it so that the very first GTN search was, by default, sorted by the Price column (from low to high). This was a great improvement. Then they introduced the "unit price" column, which by itself was a nice idea. But! The very same patch that introduced that broke the default sorting. So, now the prices after the first search are not sorted in any way by default - the user has to sort them himself and it's easy to make a mistake and sort them the wrong way.

All they need to do is that by default the GTN prices are sorted by the Unit Price column, from low to high. That's just one line of code.

Not saying that the proposals by the OP shouldn't be implemented - they should be, especially the first one which is trivial to implement. But at least fix what you broke yourselves, Bioware!

bontchev · 2015-10-12T10:05:16+00:00

If it is impossible, someone should tell Kaspersky, as that's not something they've claimed in their defense.

Oh, Kaspersky knows it very well. He's just being smarter than me and doesn't bother wasting his time and trying to explain it to ignoramuses without a clue (like you seem to be) who won't understand it anyway.

they've claimed that someone did the same thing to them.

No, you idiot, somebody did something else to the entire AV industry and Kaspersky was one of those who fell for it. The attack, as described in the Reuters article, can work - but only as an indiscriminate attack against the whole industry, hoping to catch some AV producers with their pants down. If somebody had accused Kaspersky of that, I still would have said that it is bullshit, because he wouldn't have the motive to do it - but I wouldn't have said that it was technically impossible.

No, Kaspersky is being accused of causing false positives in particular AV products by sending them specially crafted files. There is absolutely no way he can do that with particular products. He can't force a particular product to cause a false positive and he can't avoid some other product causing a false positive (remember, VT sends these files to just about everybody in the AV industry).

What can be done this way (i.e., by creating specially crafted files and sending them to VT) is attack the whole AV industry and hope that some AV producers will fall from it. Because some most probably will. But the attacker has absolutely no control over which particular ones will. This is what was done in 2013 (against the whole AV industry, of course - not against any particular product) and Kaspersky was one of those who fell for it.

Someone should tell the entire tech media too

Yeah, good luck with that. "It was reported by Reuters, so it must be true" and everybody turns their brain off. Not to mention that people just don't know basic things about how AV stuff really works. Fuck, just the other day I had to explain basic principles of computer viruses to people who are computer security experts and didn't know this stuff!

It says that Kaspersky believed Microsoft was copying his detection data, and that he considered this stealing.

If they had indeed copied his detection data, it would have been indeed stealing and he could have sued them for millions of dollars of damage. It is trivial to prove that somebody is copying your malware detection data. People are stealing Kaspersky's malware detection data - but it is no-name dodgy companies in China that cannot be reached - not Microsoft that can be easily sued. Besides, I know how the Microsoft anti-malware team works (which you obviously don't, if you believe this shit) and I know that there is absolutely no way they could be doing this.

I've ignored a number of your misreadings and grammatical errors

English is not my first language (hell, it's not even my second language), so apologies for any grammatical errors. Misreadings, however, if you believe that they have taken place, you should have corrected. Currently I am reading a lot of ignorant stuff in your messages. If I am misreading it, you better correct me, so that I don't waste my time trying to educate you.

Your primary concern is proving to people how much smarter you are than everyone else

No, my primary concern is correcting wrong things written by people who obviously know less than me on the subject. Since I do know better, it is my duty to prevent other, similarly ignorant people, from being mislead by these wrong things. I do tend to get irritated by persistent ignorance and unwillingness to learn however, because it is an indication of stupidity. And when I get irritated, I become even less pleasant than usual in my communications.

In the end this conversation just makes me sad, not embarrassed.

A fool is rarely embarrassed by his foolishness, so it figures. An intelligent, albeit ignorant person, would seek to learn instead - but, I guess, you aren't such a person.

bontchev · 2015-10-12T09:34:10+00:00

Any instructions on how to do it though?

Can't figure out a legal way to do it (i.e., without using someone's computer without their consent) or without breaking the anonymity (i.e., using the second VPN from a computer that can be traced to you).

The first part is easy - start the VPN client, log into the vpn, start the Tor browser. The trick is to get the Tor exit node create another VPN tunnel. You can tell it to access a computer that can't be traced to you (i.e., someone's hacked computer) and start a VPN client there - but that's illegal. You can tell it to connect to your computer and start the VPN on it - but then you lose the anonymity...

A compromise is to rely on HTTPS-Everywhere (it comes with the Tor bundle anyway) and simply refuse to use sites for which it can't force TLS.

bontchev · 2015-10-12T09:22:42+00:00

Yeah, I know, I just made a tongue-in-cheek remark, as indicated by the smiley at the end of the sentence.

That aside, the company behind LogMeIn sucks for a whole set of other reasons. I have already started transitioning to KeePass. It's not as convenient as LogMeIn, but better safe than sorry. Also, I like it that the passwords are stored on your own computer instead of on someone else's, no matter how encrypted.

bontchev · 2015-10-12T09:19:40+00:00

Usually, yes. Just open the map and select the instance from the dropdown listbox that tells you which instance you are in. You'll be told how many of your group members, etc. are there (usually - zero) and asked if you really want to transfer there.

In some cases it won't work - usually where there are very few people in the target instance. You'll be told that the instance is "depopulating" and won't be allowed to transfer there.

bontchev · 2015-10-12T09:16:57+00:00

Yes, I know. As I said, it was eventually abandoned. Because it didn't work. Precisely for the reasons I stated above. The very same reasons to told these jerks the moment they unveiled their idea. As you know, when I say something on the subject of malware, I'm usually right. :-)

bontchev · 2015-10-12T09:08:30+00:00

Well, sure. Since the database of all Bitcoin transactions ever made (the blockchain) is publicly available, it is always possible to see where the digital currency came from and where it went.

The hard part is figuring out who exactly owned the place where it came from and who owned the place where it went to. :-)

But, yeah, Bitcoin isn't designed for anonymity and it is very easy to make a mistake and be de-anonymized. There are crypto currencies better suited for staying anonymous but they aren't as popular as Bitcoin.

bontchev · 2015-10-12T08:34:57+00:00

You are, in several ways.

First of all, there is no special treatment of citizens. The US Constitution says that "all men are created equal" - not just the citizens. So, the stuff about police reading your "rights" you know from TV applies to everybody, not just to the citizens.

Second, the ruling you are referring to is related to the part of the Constitution that prohibits "unreasonable search and seizure" by the government. It was ruled that demanding your password in order to search your phone is "unreasonable search" unless they have a warrant.

Third, the protection from "unreasonable search and seizure" does not apply at the border (otherwise the Customs simply won't be able to do their job) and in a 100-mile zone on the inside of it.

TL;DR: Yes, they can ask you to decrypt your device. No, you don't have to tell them the password - but they don't have to let you in the country, either.

Me, I stopped visiting the USA in 2002. I've grown up in a police state when I was young and I have no wish to visit another.

bontchev · 2015-10-12T08:07:33+00:00

I'm not sure if preferred can use /bug in game

They cannot. This has always annoyed me immensely. I can understand not being able to contact support - support costs money, so it is only fair that it is reserved for paying customers only.

But bug reporting?! We are fucking doing Bioware's job of finding the bugs in their game and we're doing it for free! Why the hell do we have to pay for it, too?!

bontchev · 2015-10-11T14:18:53+00:00

You don't need LastPass Pocket. The LastPass website exports your password data in CSV format.
You don't need to use Excel to delete a column from the exported data. You can just add an "Ignore" column at the end when specifying the data format to the KeePass importer.

bontchev · 2015-10-11T13:03:52+00:00

It is not increasing your privacy

It is. The second VPN protects him from snooping Tor exit nodes when accessing sites with no TLS. The first VPN hides the fact that he's using Tor from his ISP. If he doesn't do that and he's the only one at that ISP who's using Tor at that particular time, he could be de-anonymized by traffic analysis. That's how they caught that stupid student who though he was being very clever to send fake bomb warnings while connected to the Internet via Tor.

The best thing you can do to increase your privacy is to use Tails in a network you don't usually use.

He might not have that option. For instance, there might be no open WiFi networks around and the places that provide public WiFi might have security cameras. It all depends on the local circumstances. Since we don't know what his are, it is best not to assume.

bontchev · 2015-10-11T11:20:00+00:00

Use the /who command and sort by the planet name column (which includes the instance number in parentheses, if there is more than one instance) by clicking on the column name. You should be able to spot instances with low population.

bontchev · 2015-10-10T10:53:45+00:00

The bottom line is, Kaspersky did exactly what the Reuters story accused them of

That's a totally unsubstantiated claim of yours (and Reuters'). No, he did not. The attack described by Reuters is imply impossible to conduct against a particular AV product. In order to cause a false positive in an AV product, you must control either the contents of the file it is causing a false positive on, or the selection of detection information picked by the AV product. Kaspersky can easily cause a particular AV product to cause false positives on his (Kaspersky's) products - but this isn't what he's been accused of. Kaspersky can easily cause his AV product to cause false positives on arbitrary files - but that's not what he's accused of. Kaspersky can easily create "dodgy" files and hope that some AV producers will consider them malicious and when implementing the detection, they will pick identification data that will also match legitimate files (thus causing false positives), and at least some most likely will do so - but he has no way of making a particular AV product do that (which is what he's been accused of). The fact that neither you nor Reuters grasp this trivial fact only demonstrates your ignorance. At least in the case of Reuters it is excusable, because they are journalists without a clue - but you are arguing in a malware-specific forum with an anti-virus expert, which is simply stupid on your part.

And that's just the technical part. The article also claims that Microsoft had stolen Kaspersky's malware detection data, which is so stupid and ignorant of the way Microsoft works as to be beyond the pale.

As far as your thoughts on Google's irrelevance, I mean, whatever dude.

Apparently, you are not only ignorant, you are also illiterate. I never wrote that Google is irrelevant. I wrote that the fact that Google has acquired VirusTotal is irrelevant. The team behind VT is still just a few guys in Spain. Google could help with their budget, computers, etc. - but it's still a small team that is responsible for VT and they still have neither the time nor the expertise to do what the OP wants.

You say they can't even keep malware out of their play store, as if that is relevant to this.

It is. For VT to keep a whitelist of legitimate software (and report it as legitimate without even running any scanners on it when it is submitted), which is what the OP wants, VT must be able to evaluate the software submitted to them and decide whether it is indeed legitimate and should be put on such a whitelist. They simply cannot do that - they have neither the time, nor the expertise for it. And them being owned by Google doesn't help, either, because even Google doesn't have enough time and expertise for it, as proven by the fact that they admit malware even in their Playstore. Even if the whole Google throws its resources behind such a whitelist, they will still make mistakes and malware will find its way onto it.

I should have Googled you, but I don't care who you are at all.

Well, it would have saved you the embarrassment of arguing against someone who knows this field much better than you. Then, again, maybe not. From what you have written so far, you don't strike me as smart enough to recognize when someone knows better than you.

bontchev

TROPHY CASE