I’ve met a real security researcher once. He writes academic papers, works for one of the big virtualisation companies and, I think, even teaches a course or two. He told me there is a clear distinction between the style in which academic papers are written - the ones by PhDs, at least - and how blackhat docs come about.
Certainly the darkest shade of gray you’d find at ACM is a reference in one of the papers to some Phrack article or another. The idea takes from that article, even if to debunk it, and so it shows that the security researcher - whether a professor at a prestigious university or an undergraduate student making his entire contribution to that paper through that one piece - has “listened to the underground.”
Certainly in what we like to call the civilized world1 reading something is not illegal - short of top secret documents that you don’t have clearance for, I’d guess. The way by which said Phrack article was produced might be a light tint of black, but the finite work can hardly be considered as such. Is there a problem, here? I’d say not. Surely, my previous post could be interpreted in a number of ways - that I download warez, that I give people a way to build what could be a botnet - what, after I recently congratulated FBI’s attempt to squash some bot-herders? But in reality it’s just something I though about after reading a few papers and browsing a few publicly available forums and newsgroups where release .nfos and warez-talk takes place.
Even if I were to create such a covert-malware distribution2, I could be responsible and not release it in the wild, but rather talk to someone about it - either MS or 2600, I guess. Even that might be useless, since MS could not be expected to cover up something which isn’t even their fault. Heck, it would probably help them boost sales. All the AV and firewall providers, too. So, what’s the point?
The hacker says - because it can be done. Even if it’s hard - especially then - nothing beats the rush. Illegal? Maybe, maybe not, most hackers are not lawyers and care more about technology anyway.
The security researcher says - maybe we can prevent this somehow. After all, Blue Pill was debunked - this, too, would be possible to detect once it’s a known threat. So we should look into it and come up with a quick fix.
Can I think of a fix? There might already be system integrity tools - certainly MS could release one, but you’d need to have WGA probably, so that defeats the whole purpose. A third-party tool would need to be free and updated and may yield false positives easily. There’s the problem of tracking, too - if I use this tool, does that mean I have a pirated copy of Windows?
But I digress. In the interest of science - where this interest can reasonably be demonstrated - I believe listening to the underground is of paramount importance. Even if your paper is written in a clean and academic tone - show that you’ve read the latest unnamed philes and dox dropped on .cn FTPs. As many will say, security is a cat-and-mouse game where bad guys always have the upper hand.
