Comment by VoidWhisperer
13 days ago
I understand that this is to drive research and help security researchers in this case, but I personally think Github should take a harder stance against this kind of repo, education purposes or not - saying it is for educational purposes is definitely not going to stop someone (especially people who wouldn't know how to develop this level of rootkit on their own) from going and using it.
Also the specific details in README regarding 'make sure you randomize this or you'll be detected!' makes it feel even less like it is explicitly for educational purposes since you are providing users easy instructions on how to work around countermeasures this code.
There are many responses to this, but I'll start with:
Security through obscurity is not security [1]
When only l33t underworld h4x0rz know about software flaws, there is very little incentive or ability for regular software developers to find and fix what enables these vulnerabilities. Only through shared knowledge can the world become a better place.
[1] https://en.wikipedia.org/wiki/Security_through_obscurity
The second argument doesn't really work out in praxis. We have a quarter century knowledge about SQL injection at this point, yet it keeps happening.
Instead of trying to educate everybody about how to safely use error-prone programming abstractions, we should instead de-normalize use of them and come up with more robust ones. You don't need to have in-depth exploit development skills to write secure Rust code.
Unfortunately, there's more money to be made selling security consulting if people stick to the error-prone ones.
Do you think malware creators find out by reading HN or github? I don't understand the vitriol, the request "Github should take a harder stance" could have a chilling effect on security researchers, pushing high impact exploits deeper underground.
Another point is that Firstly Github shouldn't take a harder stance but considering its microsoft and even if One might argue that Github does take in this case and it actually does.
This would really end up doing not much because buying a domain name and such hosting should be easy.
There are some service providers who will only comply in things if you provide if and only a legal complaint which is genuine and valid (like a court order) and I think no Court can order for something like this because I feel like there is / must be a legal backing for genuinely writing "this tool is for educational/research purposes" and its actually so, so I don't really understand if github's stance would even matter in the end because if you need to get court order to remove it in the end, then github will comply it with it as well (even more so than those providers even)
I don't understand what the OP wants, like should this be obscure in some tor .onion forum for hackers or should this be on github so that people can read about this and learn abotu this vector and patch up in their servers where they may have thought it was safe but they didn't know about this issue exists in the first place! (because a hacker might still use obscure persons but a sysadmin might not comparatively)
There isn't vitriol, or atleast I didn't mean it that way. The point I was trying to make is that I've seen malicious code like viruses and keyloggers and rootkits being distributed via github and they use the 'this is for education' as a cop-out when the rest of the repo makes it extremely obvious what the real intention is
Malware is very easy to build. Competent threat actors don't need to rely on open source software, and incompetent ones can buy what they use from malware authors who sell their stuff in various forums. Concerns similar to yours about 'upgrading' the capabilities of threat actors were raised when NSA made Ghidra public, yet the NSA considers the move itself to have been good (https://www.nsa.gov/Press-Room/News-Highlights/Article/Artic...).
People will build malware. It is actually both fun and educational. Them sharing it makes the world aware of it, and when people are aware of it, they tend to adjust their security posture for the better if they feel threatened by it. Good cybersecurity research & development raises the bar for the industry and makes the world more secure.
Have you ever heard the phrase: "To stop a hacker you have to think like a hacker." Thats cyber security 101. Without tthe hackers knowledge or programs...you're just a victim or target. But, with this knowledge made available, now you are aware of this program/possibility. Its like when companys deploy honeypot servers to capture the methods & use cases of hackers attacking the server, to build stronger security against their methods and techniques.