Real Question Around the F-Secure Apology

User Rating: / 4
PoorBest 

Mikko Hypponen just psuedo-apologized that F-Secure had the  "flame / skywiper / viper" virus code in it's automated repository as early as 2010.  It causes me to wonder a couple of things.

My first question is "to whom is he apologizing?"

Security professionals? 

Probably not.  

Most security professionals I know don't trust a single commercial AV package as far as they can be thrown (which is actually pretty far if it's on a CD ;) ).  Real security professionals understand that AV software is somewhat good at stopping mass-effect kinds of viruses that use or reuse packers, crypters, or even zero-day techniques for which a signature can be developed.  Non-skiddie attacks, by carefully crafted and targets software will beat commercial AV software 100 out of 100 times. So the apology isn't to security professionals, we already know that commercial AV is basically a dung catcher, nothing more.

Mikko says as much himself;

"The truth is, consumer-grade antivirus products can't protect well against targeted malware created by well-resourced nation-states with bulging budgets."

Maybe he is apologizing to grandma (that term that we use for the non-technical, normal user who ALWAYS needs their machine cleaned)!

Probably not.

Grandma doesn't know who Mikko is, and probably can't get her computer to boot past the scareware screen, because her account has been emptied by a Zeus variant that the commercial AV community hasn't been able to stop FOREVER.  (I'm familiar with one 14,000 workstation organization that had only a 22% success rate stoping Zeus/Spyeye variants using a competing commercial "Anti" solution).

Is he apologizing to his current customer base?

Who knows? We don't know if any of their current customer base were owned.  As if they would ever admit it.

So anyway, he is seemingly apologizing, despite the fact that noone is asking for an apology.

The second question is "who is Mikko apologizing for?"

That's easy.

He isn't apologizing for F-Secure specifically.  NO, as the grand pooh-bah of all AV vendor bloggers (I guess) Mikko takes it upon himself to apologize for the WHOLE commercial AV industry. (The rest of you can go about your business thank you very much).

Which begs the question, "WHY?"

Panda doesn't have bloggers?

Trendmicro out on holiday?

McAfee not able to speak for themselves?

ESET too busy sending updates to Iran?

I could go down the list of the other forty some vendors who have AV solutions hooked to Virustotal.com, but you get the picture.

Of course if you get through the dripping sarcasm (sorry, it's Monday), the obvious answer is that Mikko isn't really apologizing at all.  He is managing to inject himself (and F-Secure by association) into the story so that he can continue his reputation.

It's all a grand bit of marketing, in a business where there are historically two types of people, those who do, and those who market (who may or  may not been part of the first group originally).

OK, fine.  We're all grown-ups. It's not the first time (or the last time) that someone has horned in on a real event to make some money. (sigh)

But I have one more question, a $64,000 question if you would.  It is a question that BETTER get answered before people keep paying F-Secure or any other commercial AV vendor for their services .

The REAL question, the one that's most disturbing to me, is "why is Mikko talking to the Iranian CERT?"

Which is just part of a bigger question, in light of the Stuxnet discovery... "why is ANY AV vendor talking to, or allowing updates from Iran?"

OK, so I'm gonna use the CW word now, ok?

Because, osetnsibly, we have engaged in a type of guerrilla cyberwar with the Iranians in an attempt to slow their attempts to enter the small "We have a nuclear bomb!" club.

And yet Iran has no compunction about picking up the phone and calling Mikko and asking for help?

Wow!

That's the story to me.

I mean, if we really don't want to see the Middle East blow up, then maybe we should kind of put Iran on caller block when it comes to any kind of cyber security cooperation.

I don't care what your politics are.

I don't care which country you come from.

It seems that we can be "big enough" to understand that there are certain actors and countries which really need to be left OUT of the cyber security discussion and community until they grow up. One of those is obviously Iran.  And yes, I'll say it, another is China.  Oh, and let's not forget North Korea.

I'm not being arbitrary in my selection, really.  Each of these countries (and a few others) have failed miserably in the human rights areas and have BTW already acted agresively themselves in our cyberworld.

The real story of how the Iranian's found Stuxnet hasn't really been told as loudly as it should IMHO as well.  It was ESET that let that one out of the bag (and few people cried foul).

If non-US companies want to "help" uncivilized nations in being uncivilized, then that is their right, but let's make sure that we don't continue to subsidise the AV research of North Korea, Iran, China and others, by helping to pay Mikko's salary, ok? Because that is OUR right.

And BTW, noone is falling for the "altruistic" "we don't care about politics" line.  We know you don't care about politics, you care about money and staying in the limelight.  You're not being altruistic, you're bein opportunistic.

If you're going to sincerely apologize to anyone, it ought to be to the free world, you know, the one that is trying to protest Iran's oppression of freedom, the one that is trying to keep Iran from blowing up the rest of the world, and not to some mythical cyber security community or customers that don't see your "apology" for what it is.

My aboslute best advice to any company engaged in cyber security is this..."Don't apologize...screen."

Last Updated on Friday, 22 June 2012 13:57 Written by DC 406 Webmaster Monday, 04 June 2012 07:36