Finally, it seems that the av and anti-malware industry is catching on to the techniques of rce and the likes:
http://www.virusbtn.com/conference/vb2005/programme/index.xml

The technical stream actually has some interesting stuff.

I must say, I particularly like the following statement from Symantecs Frederic Perriots abstract:

What the fuck does he think we've been doing all these years? NOT sharing knowledge?? Not developing tools for ourselves and others to use?? Not working together on projects?
You'd think that the fact that the warez scene can have something cracked in less than a week (and typically less than a day) no matter the protection scheme would give the man a clue that SOMEONE knows a thing or two about rce.

Other than that, the meet actually looks interesting Wonder if anyone else than the industry will turn up.

Fake

That is quite ridicolous, they seem to have forgotten ALL of the work done into the scene by US (no way, we do LEAD the reverse engineering scene )...
Papers, tools and more have been developed by us that can be effectively used in malware analysis: unpackers & manual unpacking guides , standalone tools, plugins for the most advanced tools like IDA & OllyDbg...

I think you misunderstand the above statement

This is about "reverse engineering" and NOT about "reverse CODE engineering".



Those guys are NOT talking about RCE as we do. This is about software development processes, the RUP (Rational Unified Process) and such things. And this is about reversing software architectures, for example how to transform Java sources to UML diagrams and such things. This is where terms like SPICE, CMM, software process tailoring come familar.

I struggled 1 year with my boss (he is software engineering purist) to tell him, that what he is understanding has NOTHING to do with what we do... Finally I won

Thats why I prefer the term "reverse CODE engineering" to differ from these methodological guys.

Well, look at what he writes later in the abstract:

I'd say he's at least in our ballpark. There will be big differences, but it does seem to me that he's asking for something at least part of which he could find in this community.

Fake

I agree with this.

My feelings exactly. From my experience in the AV industry, I can say that most AV people don't even know that we exist. I would say 90%+ have never heard of fravia, this board, Exetools' board, or Zero's board.

Hmmm, I was thinking, innocently, that most (or at least say half) of guys working for AV firms were talented old or retired crackers / reversers / Vxers who just wanted to earn money with their knowledge... (the other part coming from university / engineer, etc. ).

Why not trying to beat something (in this case virii) with guys that knows this thing very well and are even capable of producing it ? if you can do it, you can defeat it, no ?

I'm sure that many talented reverser and maybe Vxers are waiting to be engaged by some AV group. After all, reversing and coding for fun is cool, it brought you many knowledge about many things computer-related, but it doesn't feed the man...

After all, governments are hiring hackers to protect them from other hackers...

So, why not engaging people from the "scene" ?

Good question. Companies have been doing it for years with hackers (and I'm using the term in the sense of someone who breaks into other peoples systems). However, all along there has been a public resentment against it: people think that those who commit cybercrimes are afterwards rewarder with good jobs. This is ofcourse a fair argument, but it overlooks the point that companies need experienced people and that people who have been busy working these arts have exactly that experience.
When it comes to virii the points of view are typically given an edge: if you write a virus and release it, you're not just doing something to see if it can be done, you're actively destroying other peoples work and property. This then adds the consideration, that these people might not really respect others or their property. I'm not sure I'd want someone like that to work for me.
Then again, if people take their punishment and seem willing to change, I see no reason to keep punishing them. I suspect, in the end, it might come down to whether AV-companies think they can trust virii-coders. And of course, for quite the largest part of the virii scene ... they're fucking twits and bitches who can't do any proper code anyway, only implement some exploit somebody else discovered and published, in a hll or virkit.
Oh, and consider how you would put virii-writing on your cv: "Yes sir, I wrote the sasser virus that caused a huge amount of damage. Please hire me instead of reporting me to the police." Doesn't quite seem a good idea, right?

Fake

It worked for Mitnick...

Where did he get employed during his hacking activities (before he got busted) on account of showing a CV of writing virii?

Fake

Fake51, I think your comparison between virus writers and "hackers" is unfair.

I'd rather say that he following "activities" are equal (see below), and hence that the two categories of people are just the same, it is just considered a "bigger sin" to hire a virus writer anyway. Possibly also connected to the fact that AV companies make their money in a more "direct way" from active virus writers, than security companies do from hackers:

* Write a virus and not release it = Hack you own servers

* Write a virus without destructive payload (or destructive bugs ) and release it = Hack someone else's system without stealing or damaging anything

* Write a virus with a destructive payload and release it = Hack someone else's system and damage/steal something

So one isn't really worse than the other, it's just considered a bigger stigma in the AV business to hire "scene people" in general I think.

Yes, I'd say you're pretty much right. However, one should keep in mind, that virii almost never target just one firm - I mean, the chance of a hacker wrecking as much damage as any of the recent virii in the wild is close to nill. That put aside, I think there are also considerations of the actions done by the different persons. If you write an evil virus that'll spread like wildfire, you have no control whatsoever on it - so in reality, you're targetting pretty much anybody and everybody. Hackers (well, the oldschool of them anyway, not script kids) may try to break in as many places as possible, but it's always directed at one given place, and can be aborted if one finds out that one is doing a whole lot of damage.
One should also keep in mind, that even making virii with non-destructive payloads might still create a lot of damage. As seen with massmailing worms, that can break down the net.
But these are mainly minor differences, and don't really give much reason why there should be a difference in the public opinions of the two groups. And I don't think the public opinion is that divided - it's just that there are many more examples of companies hiring hackers than hiring virii writers. That's a difference in opinion with respect to companies, not the public.

Fake

Yep, i agree. VXers do not care all the damage they (potentially or not) do.

I also want to point out two examples of very famous VXers who are currently hired by security companies:

1. Ratter\29A (see h**p://vx.netlux.org/lib/vra01.html)
2. Benny\29A.

For the second example check h**p://www.theregister.co.uk/2004/11/12/vxer_job_controversy/

where there is a small discussion of this topic.

Ever wanted to apply for a RCE related job?. Well, check codebreakers-journal.

Cheers,
Havok.

Nice to know there's actually a chance of putting the knowledge gathered through interest to work. It would be kind of strange if noone had any interest in RCE experienced people.

Fake

well take look at openrce.com
some one already advertised there looking for ppl with rce related experience

For my taste, they still stick too much to "what certificates do you have" instead of "what skills do you have" (And yes, I read that sentence about their will to accept blablabla.... )

P.S. Yes I know I *am* happy to have found an employer who puts emphasis on skills, not papers