2014-05-01
Abstract
‘We plan to increase our scope further and look even more at other areas of IT security.’ Martijn Grooten
Copyright © 2014 Virus Bulletin
The recently announced [1] changes at Virus Bulletin have given us plenty of reason to look forward. But they have also provided us with an excuse to look back at the 25 year history of the company.
One episode that is remembered with a mixture of nostalgia and frustration at VB’s headquarters is that of W97M/ColdApe [2], a 1999 virus that, among other things, sent an email from each infected machine to [email protected], the email address of erstwhile VB Editor Nick FitzGerald.
Reading about ColdApe, I couldn’t help but notice how much things have changed in the last 15 years. A discussion I stumbled across between Nick and the author of the virus [3] on the alt.comp.anti-virus newsgroup not only highlighted the fact that such dialogues took place frequently and in the open, but it also gave the impression of mere child’s play compared with the threats we see today that are perpetrated by organized criminals and nation states.
At the same time, the distinction between good and bad was always very clear: there were those writing the viruses and those fighting them, and the two were separate worlds. The idea that someone from one of those worlds could find employment in the other was unthinkable – and has been the topic of many heated discussions at VB conferences over the years.
Many security researchers still make a distinction between good and bad actors, though there is increasing disagreement over who fits into which category. There is even less agreement on which actions are bad – and quite often it depends on the circumstances. Running a device at the corporate gateway to prevent employees from accessing malicious websites is generally considered an advisable thing to do.
Running the same device at a country’s ISPs to prevent its citizens from accessing websites that are not in line with the government’s view is considered by most to be heavy censorship.
Hacking into a company’s website to steal data relating to millions of its customers is a very serious crime. Hacking into the same website to demonstrate the existence of a vulnerability could result in the site owner awarding the hacker a bug bounty in appreciation.
A few years ago, we quietly changed the tagline of the VB website from ‘fighting malware and spam’ to ‘covering the global threat landscape’. This was not because we considered that malware and spam were no longer interesting, but because we realized that fighting them could only be done in a broader security context.
As Virus Bulletin is going through some big changes, we plan to increase our scope further and look even more at other areas of IT security – of course, while continuing to report on malware and spam.
Through both the VB conference and Virus Bulletin magazine, VB has shared the details of high quality research and thought-provoking opinions. We will continue to do so, and our new publication format will certainly help with that.
We will also be on the look-out for contributions from researchers working in different areas of security – or perhaps with a different view on security. The well known expression states that great minds think alike, but in fact, great minds often think in very different ways, and bringing them together can lead to even greater things.
Great minds tend to have strong opinions too. (At least those in security do – after all, security matters.) It will be inevitable that some of the things we publish will cause some controversy: people may disagree with an opinion expressed, with some research that is being performed or even with the ethics behind that research. We’re a grown-up industry, and we should be able to deal with such controversies. It will benefit us all.
Here’s to the next 25 years!
