Back to Top

Saturday, May 24, 2008

The problem with amateur crimefighters

I wish to preface this with the fact that I am a deep believer in cooperation and data sharing. Also, I really appreciate the work that volunteers put into maintaining different resources (like the excellent CastleCops forums).

But you have to remember that these people are not professionals and sometimes don't have a complete understanding of all the aspects of issue. Still people cite them as references and base decisions on their opinions. The Internet was regarded as the ultimate place for meritocracy, however sometimes it turns into a how can yell louder and/or a popularity contest.

Concrete example:

The DNS Black Hole project puts out a list of domains to block (or black-hole - hence the name I suppose). Until recently they did not have an official policy on removing domains. Recently they put up a post in which they try to clarify their take on the issue of false positives, and seem to take a (from their point of view) quite reasonable stance that they are just an aggregator and if you wish a domain to be removed, you should contact the original source.

However this begs the question about the quality of their data. I understand that they don't have the capacity to validate every single submission, but if they can't even check out false positives, is this really a blocklist you wish to use? You might as well start blocking entire countries...

Sometimes they realize that they are blocking an unrelated third party service (like recently when they announced that they are adding some dynamic dns providers to the blacklist because they are used extensively by malware, and sometimes they don't. The current list includes at least two free services from Romania which offer free webhosting and probably from time to time host malware, just like geocities. But you won't find all geocities sites blocked by it, even though both of these Romanian / lesser known sites are blocked completely. I tried to contact them a few weeks back to let them know about the problem and I yet to receive any feedback.

The maintainer of the site also offers his (or her?) expert opinion about how to fix the problem: remove iframes and detect obfuscated javascript. This basically demonstrates that s/he has no substantial understanding of either HTML or Javascript.

I'll talk a little about the Javascript idea, because this seems to be the wider misconception: first of all, javascript packers (for better or for worse) are used in commercial sites (think CNN, CNET, etc). If you've seen the code beginning with function(p,a,c,k,e,d), that's actually a commercial packer used on a lot of sites! Second of all, the idea of detecting obfuscation is too vague, and possibly (similar to the problem of writing an algorithm to detect any computer virus) impossible to solve. Third of all, browsers are not (and should not be) in the business of producing blacklists/whitelists (becoming some sort of AV company basically). They should try to create additional measures of security, however creating such lists probably is to big of an overhead for most of them (many of them being open source) and just replicates the problems of AV engines on yet an other level. If you want a blacklist based protection against malicious Javascript code, get an AV which offers this.

PS Sorry for ranting / sounding jaded. I want emphasize again that I do appreciate all the work put into these (free) services, it's only that I wish that people would investigate claims before putting their faith in some of these sources (and also the fact that I can't seem to get to sleep :-)).


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.