A corollary plea to infosec journalists: when the cyber security community pitches a publication that appears to be state espionage on credible targets, ask the researchers about their reasons for disclosure.
Show this thread
A simple proposition for the cyber security community: if you have reason to believe that malware or an actor was engaged in counterterrorism or law enforcement surveillance, publicly acknowledge that fact and provide your reasons for disclosing the operation.
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
We usually aren't competent to make such determination. We can only describe what the malware does, how it does it, and to what other malware it seems similar. Not the reasons behind it. Generally, malware analysts shouldn't be doing attribution.
-
Agreed. Doing attribution based purely on code analysis is very iffy (and attribution is typically not critical to protecting against that code).
-
That’s beside the point. Researchers commonly have a clue about the victimology based on PII leaks, sample names, bait or delivery methods, and other indicators. The victims of a backdoored Mujahideen Secrets are probably going to be al Qaeda.
-
No, it doesn't. It could be the result of someone trying to scam them in some way (e.g., in order to steal money donated to them). And we don't care. Our job is to find the malware and to protect its victims. It's not to decide who did it and if their intentions were good or bad.
-
Insisting that we, the AV people, don't analyze, detect, or publish info about malware that *might* be from someone's law enforcement operation is like insisting that a doctor should refuse to treat a patient who *might* be a criminal.
-
We might be afraid to do so (like like the doctor might be afraid from the patient), but not doing it goes against our professional ethics. Not our job to decide who is good and who is bad. Only what the malware does.
-
Especially in cases when the malware is used in clearly criminal situations. Infecting routers of cafes is clearly a crime and I don't care what high ideals were motivating the spooks who did it. What about the innocent people whose communications were compromised?
-
Again, it is NOT our job to make such decisions. We just fight malware. If the spooks don't want their malware discovered, analyzed, and public articles about it written - they should learn to hide it better and have it affect fewer people.
- 3 more replies
New conversation -
-
-
I feel like we’re at a moment where we need to come together as a community and discuss when we should disclose something publicly. For too long public reporting has been for PR purposes - our work has impact beyond the news cycle.
-
@juanandres_gs gave a talk on that and wrote a paper, and I gave a talk on a similar topic. It’s been known for years that playing commercial PR games with law enforcement and intelligence/ CT work is sensitive. Not many seem to care though. -
Big fan of his paper and agree with all of it. It’s just time to do something (however that happens)
-
Link to paper for those not in the know?
-
Thanks!!
End of conversation
New conversation -
-
-
The real-world implications are something that deserves more thought, but I can see how this could get murky if actors are using the same infra, same implants for non-CT work that warrants robust defense, for example.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.