The analysis published on Flame has been amusing. Apparently Stuxnet is no longer considered sophisticated. Surprise.

Flame shares many characteristics with notorious cyber weapons Duqu and Stuxnet: while its features are different…Flame can easily be described as one of the most complex threats ever discovered. It’s big and incredibly sophisticated.

Many characteristics are shared? Interesting, except that later in the same page you will find this:

Flame has no major similarities with Stuxnet/Duqu.

Perhaps it is too early to ask for clarity. But I have to say my favorite example so far is this:

Stuxnet, Duqu and Flame are all examples of cases where we — the antivirus industry — have failed.

Are we expected to believe that a 12% success rate for catching viruses is a shining success? Is there anyone who would like to argue that the antivirus industry is in need of examples of failure? Seems like everyone already has plenty to go around before hearing of Flame (Flamer, SkyWiper).

Don’t get me wrong, I am an advocate of using black-lists as one control to block threats. I also am an advocate for fences. They serve a purpose. The point is to know the difference between levels of defense, like the difference between a six-sided box and a four-sided box. If you’re running a four-sided box defense (e.g. you black-list wheeled threats) don’t be surprised when attackers jump over and under. Failure is a relative term and we should put anti-virus in its place. Definitely not a cure-all. On the other hand, I look forward to hearing how installation of 20MB of malware was not noticed.

The large size of the malware is precisely why it wasn’t discovered for so long. In general, today’s malware is small and focused. It’s easier to hide a small file than a larger module

Easier to hide small than large, which is why large was not discovered? Nevermind. I’ll wait for an update on that point too. In the meantime here’s one of the characteristics that makes Flame different. It is described as sophisticated because

recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio

Those two sentences seem to contradict. It’s rather new but other malware does it already? I have a different definition of rather new — audio attacks are as old as audio. I remember malware (Ivar, an extension for Mac System 7) in 1992 that had audio remote control. It used a fake system bomb to get the user to register the extension and then the Macintosh was tapped. I’ve run into examples since then as well, and I’m not just talking about the occaisonal webcam fiasco.

That same article makes the point that 3000 lines of code would take about a month. Of course it takes far less than a month to write 3000 lines if you’re collaborating/borrowing code. I point that out because Flame sounds an awful lot like child monitoring applications on the market. Mixed capability monitoring is par for the course when you are a parent or a civil/corporate investigator. In fact, in 2005 I used a similar tool for a case…

Maybe I am wrong and Flame really is a giant black eye for anti-virus vendors, and maybe I’m wrong and it was developed from scratch in an isolated lab at a very high cost. Even so, for me the most interesting part of this story is not the old debate over whether the code is sophisticated or not.

The part I noticed right away is that Jordan, Yemen, and Eritrea are supposedly unaffected or at least far below the top affected countries. That says a lot about intent if you believe intent is a factor. I keep that in mind when I look at the usual analysis that malware in Iran is spread on a Western-dictated attack path.

The malware is most likely created by a Western intelligence agency or military.

Ok, then why isn’t it in the places that Western intelligence agencies monitor? Does Yemen, a so-called “breeding-ground for terror”, or Eritrea have an anti-virus program we should know about?

Alan Renouf has posted a new way to automate the test for valid SSL certificates in vCenter.

…what if we wanted to check these certificates in PowerCLI, recently I found a great PowerShell Advanced function which allows us to do just this, we are able to test the certificate of any given website and return the details.

[…]

The code will output the most important details included who the issuer of the certificate is, whether it is valid and when it expires, both in date and length of time.

This could easily be adapted to check on a regular basis and email closer to the expiry date.

The formation of an African Robotics Network (AFRON) was announced in April with some ambitious goals.

The idea, still under development, is to create a simple robot with parts costing under $10 dollars that students would use to explore science and engineering topics. The robot would be connected via USB to a computer, and students would use open source software to program the robot’s behavior and share their results.

[…]

…AFRON was inspired by other robotics initiatives such as the European Robotics Network (EURON), but while most networks have concentrated on research activities, AFRON focuses more broadly on education, research, and industry, including efforts aimed at exposing school children to robotics.

Rules have not yet been announced but note the definition:

For the purposes of AFRON, “Robotics” is broadly defined to include related areas such as automation, computer vision, signal processing, machine learning, mobile games, and other related topics.

The Cairo Hackerspace (“Hack like an Egyptian”) is already looking for hackers to join its team in the AFRON $10 Robot Design Challenge.