Clarify references to case studies in readme

[Greatz08]

In the above sample output, we run capa against an unknown binary (suspicious.exe), and the tool reports that the program can send HTTP requests,

Instead of this you can mention properly with due respect that you have used open source project which is based on malware analysis kind of tool and what all things it runs and showcase how capa can detect all those as example . In this way people will not have wrong image about al-khaser project which is important because it also deserves equal respect as open source project which is unique and well maintained instead of been shown as "unknown suspicious binary" plus they can read al-khaser code (https://github.com/LordNoteworthy/al-khaser) and understand all how it works and what all things it do plus how project capa can detect all those things successfully from exe file so all together this would give best open picture to all users.

[williballenthin]

Hey @Greatz08

Thanks for raising this concern about our intro. I appreciate the request to recognize open source software, including Al-Khaser - a tool that has definitely influenced capa!

First, let's continue this thread of discussion, because its important to get right fully and consistently.

With that said, the wording of our intro is ambiguous, and our reference to suspicious.exe does not refer to the Al-Khaser binary. The screenshot of Al-Khaser was added very recently and is independent of the case study around suspicious.exe (which I think is actually Wannacry). When we added the screenshot, we didn't update the wording, so when we say "In the above sample output..." we mean way above not "immediately above" which is certainly confusing.

I think we should update our wording to make the examples and their sources more clear. We can open a PR for that. What else do you think we can do?

[Greatz08]

@williballenthin ok now i get it, Thanks for explaining things from your side. In my opinion explaining little bit about al-khaser project so that people can understand easily what it and referencing it to al-khaser github page will be enough as people who are interested will study more how it works and can easily relate how capa works to detect all those things. This much will be enough in my opinion
BUT in case you/team wants to explain much more about capa capabilities and wanna showcase it in video or in easier docs way then you can use al-khaser project to do that easily.

For me personally both capa and al-khaser projects are pretty awesome and i could relate as i did know about al-khaser before knowing capa but i am sure max wont know about it and might think al-khaser project as virus so educating them is also responsibility for us and that is one more reason for me to ask you to explain al-khaser project when showcasing so that more people can understand and relate things easily without having to take risk in finding and running actual sus file/virus to test capa :-))