@Dr. Vesselin Bontchev
"Steve: You forget that the AV industry has to make products that are usable by any average Joe out there - not just by you."
I don't concede that point, but even if I did, the one very important thing that I most certainly haven't forgotten is the AV industry is also supposed to make stuff that ACTUALLY WORKS.
Of course, as any fule kno, making an AV product that actually works is not a viable economic model for any company with long term goals, because you only get to sell a couple of versions into your market and then your cash flow dies.
"And Graham's point is that you can test security without doing such unethical things like creating new self-replicating malware."
Exactly, and my point is that this is complete and utter bollocks, and, in fact, is the single misapprehension that makes the AV industry suck.
As you well know, ~90% of the protection offered by the big players is *STILL* based on signature scanning, and most contemporary AV products will *STILL* not alert on 0day stuff, several (going on 10+ by now) years of constant babbling about 'heuristics' and 'behaviour analysis' and the like notwithstanding.
I find your stance that a professional security researcher ought not to engage in the 'unethical' activity of creating self replicating code hard to credit. There is absolutely no reason why this should be harmful to anyone, it's not difficult to maintain a (real or virtual) research network with an air gap for just this purpose.
If a professional security bod doesn't have the demonstrable and practical ability to create a worm or virus of her own, she is clearly not competent to defend against other people's as she is missing some of the knowledge and practice that her 'enemies' have, starting with the ability to locate novel exploitation paths.
I realise that this is an unpopular and widely derided point of view amongst the Girl Guides that populate the AV industry, and that, if you respond at all, you will no doubt wish to inform me that the skillset and the mindset of the attacker and the defender are separate and distinct. This is true to a certain extent, and many examples could be quoted, but a large, and open mind that can encompass both is better prepared.
Much of the rest of the security industry is happy with this, (millions of crap, self proclaimed "penetration testers" could indeed be wrong, but in this case, I don't think they are.), so what's up with you AV bods ?
(P.S, I haven't used F-Prot for at least a decade, so please don't take this personally if it's uber great now :-)