DDP

Dynamic Decryption Procedures

This is a rather old proof of concept that I developed circa 2005. My first (and probably last) attempt to publish something ina peer reviewed publication.

At the time I turned the paper to a prestigious publication dealing with malware. The paper was received with mixed reactions from reviewers, there were those excited by the proof and they were those claiming that this was dangerous or simply not worth publishing. After several adjustments and a divided panel the editor decided not to publish the paper (of course, there were representatives of antimalware companies in the panel).

I published the paper and example code in the hope that it would help others. At least a few AV companies were interested since the example code included is recognized by many engines. I must say not everything was bad. For instance one of the reviewers gave me a lot of constructive criticism, including a reference to the use of this concept in agents that was proposed by Schneier (I wasn't aware of that paper but this allowed me to credit the authors properly).

A few years later malware older than this paper which used this concept was found in the wild (see Gauss, for example). So I lost my faith in the "peer review" process. Politics and interests override genuine value of research. We can't stop research only based on the basis that something can a will be abused. This is what led the information security industry to its current state, where criminals have the advantage. We have to get rid of this "security by obscurity" mentality.

My advice, if you are a security researcher and want to publish something: use open publications, and open source. If you trust your idea build your own company and embrace it. History is full of examples of well established companies and organizations that laughed at novelties, only to be replaced later by a newcomer that dared to innovate.

OAHR