• Barbarian@sh.itjust.works
      link
      fedilink
      arrow-up
      51
      ·
      edit-2
      5 months ago

      Yes. Security through obscurity is an illusion. ClamAV is a well known and high performance open source AV solution.

      Edit: Here is the CWE entry on the topic in case anybody wants to read some more details as to how and why obscurity is not a valid approach to security.

    • Technus@lemmy.zip
      link
      fedilink
      arrow-up
      21
      ·
      edit-2
      5 months ago

      Strictly speaking, it’s not anti-virus software. It’s not designed to prevent malicious software from running or remove it. It’s just monitoring for behavior that looks malicious so it can notify the system administrator and they can take manual action.

      Most of the actual proprietary value, ironically enough, is in data files like the one that broke it. Those specify the patterns of behavior that the software is looking for. The software itself just reads those files and looks at the things they tell it to. But that’s where the bug was: in the code that reads the files.

      • Hildegarde@lemmy.world
        link
        fedilink
        arrow-up
        7
        ·
        5 months ago

        I wouldn’t call it a bug.

        Any software running in kernel mode needs to be designed very carefully, because any error will crash the entire system.

        The software is risky because it needs to run in kernel mode to monitor the entire system, but it also needs to run unsigned code to be up to date with new threats as they are discovered.

        The software should have been designed to verify that the files are valid, before running them. Whatever sanity checks they might have done on the files, it clearly wasn’t thorough enough.

        From my reading, this wasn’t an unforeseeable bug, but a known risk that was not properly designed around.

    • TootSweet@lemmy.world
      link
      fedilink
      English
      arrow-up
      8
      ·
      5 months ago

      If the security of your algorithm depends on the algorithm itself being secret, then it’s not safe to distribute the software only in binary form either.

    • uis@lemm.ee
      link
      fedilink
      arrow-up
      6
      ·
      5 months ago

      Yes. CalmAV comes to mind. “Security by obscurity” is no security.

    • frezik@midwest.social
      link
      fedilink
      arrow-up
      4
      ·
      5 months ago

      Not easily.

      Anti-virus companies–when they do it right–have tightly controlled air-gapped systems that they use to load viruses and test countermeasures. It takes a lot of staff to keep those systems maintained before we even talk about the programming involved, plus making sure some idiot doesn’t inadvertently connect those machines to the main building WiFi.

      There was at least one confirmed case of a virus spreading through speakers and microphones. What “air-gapped” means is pretty extreme.

      If it’s possible at all, it’d have to be through significant donations or public funding. A volunteer effort isn’t going to cut it.

      • Avatar_of_Self@lemmy.world
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        5 months ago

        Well it isn’t actually a confirmed case. Ruiu, the original person reporting the issue wasn’t sure exactly what the surface area of attack was at the start. Ruiu Dragos, who is a security researcher believed it infected via speakers.

        Eventually Errata CEO, Robert Graham, said that if he spent a year, he could build malware that did the same and that it was ‘really, really easy’

        Eventually, Ruiu noticed that the initial stage of infection was from one of his USB sticks.

        The speakers part comes in that he found that the packets transmitted between badBIOS infected machines stopped if he disconnected the internal speaker and microphone.

        Meaning, that sure, badBIOS may communicate data with each other via speakers but that it has never been proven that it could actually infect another machine via speakers. However, that hasn’t stopped articles from conflating things.

      • uis@lemm.ee
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Article doesn’t explain how it even coupd spread at all.