Thierry Zoller is the director of product security at a company called “n.runs AG.” He recently discovered a flaw in Kaspersky Labs’ popular antivirus software.

This is nothing new: antivirus products have always suffered from outright security vulnerabilities. This time, though, Zoller blew up at Kaspersky both in his blog and on some high-profile computer security mailing lists.

Here’s a trick ques­tion for you. Micro­soft offers an RSS feed for secu­rity vul­ner­a­bili­ties in their own pro­ducts. Can you name one anti­virus firm that offers an RSS feed for secu­rity vul­ner­a­bili­ties in their own products?

“Not only did [Kaspersky Labs] not answer [my bug alert], they (tried) to patch this vulnerability silently, only to fail at it,” Zoller railed. “This is not the first time that Kaspersky did not answer but patched bugs without credit, advisory or anything,” he added.

This, too, is nothing new — the antivirus industry in general has long relied on “silent slipstreams” to de-vuln their security products, neither giving credit to the discoverers nor alerting their customers to the risks they face(d).

I regard it as a dangerous double standard. The bug-hunt community erupts in anger and The Register files a story whenever Microsoft fails to give credit where due in a product vulnerability advisory. Yet nothing big happens when an antivirus firm like Kaspersky fails to—

—waitaminit, folks. Let’s pose this double standard as a trick question. Microsoft offers an RSS feed for security vulnerabilities in their own products. Can you name one antivirus vendor that offers an RSS feed for security vulnerabilities in their own products?

“This is not the first time that Kas­per­sky … patched bugs with­out credit [and failed to issue an] advisory.”

Go on! Look for an RSS feed. I’ll wait…

Okay, stop looking: I’ll give you a ‘B’ for effort. You see, antivirus firms don’t need to disclose vulnerabilities in their own products. “Why does this double standard exist, Rob?” Because antivirus customers don’t care. Period.

(“C’mon, Rob, what would it take to get an ‘A’ for effort?” You’d need to realize two things. First: you’d realize that both the content of this little-known page plus the content of this other little-known page really should appear on this very well-known page on Symantec’s website. Second: you’d realize that Symantec’s “ThreatCon level” doesn’t vibrate when they acknowledge critical vulnerabilities in their own security products.)

(Oh, and I’ll give you extra credit if you can answer another trick question. “Why doesn’t Symantec’s vulnerability disclosure policy impact their ThreatCon level?”)

Zoller directed his anger at Kaspersky Labs. In truth, though, he griped about a long-held double standard that favors the antivirus industry to this day. Zoller swung his fist, saying:

“I am no longer part of an entity that tolerates irresponsible non-disclosure. A professional reaction to a vulnerability notification is a way to measure the maturity of a vendor in terms of security. Kaspersky is given a grace period of two (2) weeks to reply to my notifications. Failure to do so will result in details of all the other reported bugs be released in two (2) weeks.”

“Measure the maturity of a vendor in terms of security,” he says. Memo to Thierry Zoller: I hate to tell you this, dude, but I’ve documented the antivirus industry’s immaturity for twenty-plus years…

A Fox News report claims President Obama has his eye on Symantec CEO John Thompson as his “leading candidate for Commerce Secretary.”

I think the president should reject Thompson — because Symantec secretly turned over computer viruses to China for at least two years during Thompson’s reign as CEO.

Washington pays Thompson’s firm a lot of money to pro­tect govern­ment com­pu­ters from the same viruses they supplied to China.

And now Obama might nomi­nate him for Secre­tary of Commerce…

Mind you, the U.S. government pays Symantec a lot of money to protect U.S. government computers from the very same computer viruses they gave to an oppressive regime that openly despises U.S. national security interests. How much more ironic can you get?

Not only did Symantec arm China with cyber-smallpox technology … they did it right under the very noses of the White House and the FBI. Symantec’s executive team actually decided “we’re going to arm China and we’re not going to arm the U.S.” And John Thompson sat at the very top of the company’s executive team that made this decision.

For at least two years during Thompson’s reign at Symantec, his people advised the White House and the FBI on global cyber-threats to U.S. national security. Symantec often flew their people into D.C. on the company’s dime so they could personally brief people like Richard Clarke. Thompson’s people stood next to White House senior staffer Richard Clarke in his famous “Y2K situation room,” ready to help out if China had dared to launch a cyber-attack.

And at the very same time, Thompson’s people also opened a pipeline to China so they could smuggle digital munitions to a country the U.S. now believes is responsible for hordes of cyber-attacks launched against federal, state, and local government networks.

For at least two years during Thompson’s reign, his company armed Beijing’s oppressive regime for a single reason: commerce. Symantec wanted to pave governmental inroads to China’s growing corporate market for PCs and software.

Does America really need a Commerce Secretary who spent two years arming China with network warfare weapons, all while keeping the White House in the dark?

“CEO Thompson” kept all of this a secret from both Clinton and Bush. What will “Secretary Thompson” keep secret from Obama?

Let’s suppose Thompson dons the mantle of Commerce. And let’s suppose China releases an über-virus that makes a shambles of our banking & commerce networks. “Team Obama” descends on the White House for an emergency cabinet meeting.

“Here’s what we know,” says the Secretary of Defense. “Beijing attacked us with a virus that has the telltale signature of a Symantec goat file. In fact, we think they built this virus based on what Symantec delivered to them on March 12, 2000 at 08:43am Pacific Time.” The Secretary of Commerce shifts nervously in his seat.

“We think China did this on purpose — used one of Symantec’s goat files,” the Secretary of Defense continues. “We think they did it just to put us in the very quandary we’re in right now.”

Obama speaks up. “I don’t get it. What quandary are we in right now?”

The Secretary of Defense coughs nervously. “Mr. President, Symantec’s delivery of viruses on March 12, 2000 included an email trail from senior management. Marketing had complained that the virus experts were deliberately trying to slow down the transfer of viruses to China. The last email comes directly from senior corporate management. The person who sent that email, told the director of virus research to give Marketing what they need so Symantec can keep their commerce moving in China … and ‘commerce’ is a direct quote from the email. The senior corporate manager warned that if the flow of viruses didn’t go up immediately, he said John Thompson would personally come down there and fire the director of virus research.”

The Secretary of Commerce blurts out “I didn’t write that email!” All eyes in the room turn toward John Thompson. “Somebody at my company must have been using my name in vain, Mr. President.”

President Obama frowns and turns back to his Defense Secretary. “Okay. I see the quandary.” He turns again to the Commerce Secretary. “John, you are excused from the rest of this meeting…”

USAF’s latest press release touts their 50,000th air sortie in Operation Noble Eagle — a mission flown right over my RV, coincidentally enough.

USAF logs its aircraft missions with extreme precision; we know this for a fact.  They can tell you exactly who flew exactly what type of mission for exactly what military operation on exactly what date at exactly what time for exactly how long in exactly which aircraft.  Want to know if a “tail swap” or a crew swap took place at the last minute?  Did the aircraft fly around restricted airspace or take on fuel from a tanker?  Don’t worry, USAF logged it.  They keep these records on file for decades.

USAF also logs its aircraft maintenance with extreme precision; we know this for a fact.  They can tell you exactly who performed an engine swap on exactly what date for exactly how long (!) on exactly which aircraft.  Want to know the serial numbers for the old & new engines?  Don’t worry, USAF logged it.  They keep these records on file for decades.

USAF logs its satellite missions and satellite maintenance with extreme precision, too.  They (should) also log every missile mission and missile maintenance with extreme precision.  Indeed, the Secretary of Defense fired USAF’s top brass for lapses of extreme precision in this realm.

USAF keeps detailed records even on things like a Predator ground station unit and a K-9 working dog.  If it’s a bona fide weapon system, USAF’s bureaucracy tracks it with extreme precision.

But on the day they flew that 50,000th Noble Eagle mission, USAF didn’t log very much at all about its cyberspace defense efforts.  They simply don’t know exactly who deleted exactly how many copies of exactly what virus from exactly which computer on exactly what date at exactly what base.

USAF uses Symantec antivirus software; we know this for a fact (although they insist this fact is for official use only).  Symantec’s antivirus product for Microsoft Vista — by default — only keeps its (very limited) log data for a very short time.  I’ll bet one day’s wage against Maj Gen William T. Lord that Air Force Cyberspace Command dismisses as transient data the very antivirus logs generated by the computers in his very office.

Mind you: USAF officially insists every desktop computer is a bona fide “weapon system” equal in stature to its fleets of air, space, and missile weapons.  Yet computers are the only weapon system they don’t care enough to document with extreme precision.

We can’t take the notion of a “cyberspace” mission seriously until USAF at least tracks its network & computer defense efforts with the extreme precision they demand for bona fide weapon systems.

Of course it begs the question — does USAF track cyberspace sorties with extreme precision?  Purely for the sake of argument, let’s suppose U.S. airmen helped Israel hack into Syria’s air defense system.  That would qualify in my book as at least one “sortie” in cyberspace.  If it’s a sortie, then:

1. Do those (highly classified) logs contain a record of exactly who flew exactly what type of mission for exactly what military operation on exactly what date at exactly what time for exactly how long on exactly which cyberspace weapon system?
2. Did a tail swap or a crew swap take place at the last minute?
3. Did the crew earn credit for their flying hours?
4. Did an interim country restrict its cyberspace, thereby forcing the crew to take an alternate route to the target?
5. If the nature of the mission required even the slightest modification to the weapon system, did the “digital wrench-turners” document it with extreme precision in that particular weapon system’s maintenance logs?
6. Will all of these logs remain on file for decades?

Let’s ask THE fundamental question, folks.  If USAF knows exactly how many air missions they’ve flown in Operation Noble Eagle … shouldn’t they also know exactly how many cyberspace missions they’ve flown in Operation Iraqi Freedom?

My oldest readers will remember when I had the audacity to dissect antivirus software for security flaws. From 1997 to 2000 I could gain root on millions of corporate servers and desktop PCs that relied on McAfee, Symantec, Trend Micro, and other antivirus programs. I eventually named it the “ADVEIS” rootkit, short for “antivirus dependent vulnerabilities in email infrastructure security.” I gave a lecture about my findings and then—

—well, no one really cared that I proved antivirus programs reek of security flaws. Not even the hackers. (That surprised me: I expected a dozen copycats to pop up.) But I didn’t care much either, so I shelved it and went on to the next great experiment.

Which brings me to today. This year’s “DEFCON” convention will hold a “Race to Zero” contest. Players will get a batch of viruses to hack on until someone can get a variant past all the antivirus products installed for the contest.

Reporters played up the DEFCON announcement; the antivirus vendors sneered. But to them I say “so what?” If you want to watch someone beat a dead horse, go right ahead, but it’s not news. This DEFCON contest does nothing that we haven’t seen already. Lesser-known hacker shindigs have held the same contests over the years.

DEFCON would impress me if they held a contest to acquire root via the antivirus software. But (sigh) I’m the only one around here who seems interested in thinking outside the box…