funsec mailing list archives
Re: Spam cube
From: Drsolly <drsollyp () drsolly com>
Date: Mon, 20 Mar 2006 11:52:45 +0000 (GMT)
On Mon, 20 Mar 2006, Nick FitzGerald wrote:
Drsolly to me:In the AV market -- now a very well-established product category with "matured" marketing -- that boils down to "misleading with the truth", as the AV marketeers have fostered the totally BS notion that "AV is essential"In an ordinary collection of business computers (which means they're mostly running Windows), do you think that AV is some sort of luxury extra?"AV as it is commonly done today" -- yes. Well, not a luxury extra, just a massive waste of money for what it delivers. It's a constant case of closing the stable door after the horse has bolted...
No, it's closing a billion stable doors after a few horses got out.
There are much better ways _in an ordinary collection of business computers_ to secure the integrity of those machines' codebase than hoping your chsoen known virus scanner(s) are updated quickly enough and that you are always lucky enough that someone else gets hit by anything new and sufficiently ahead of that thing arriving at your buiness for your AV developer to get samples, develop and ship an upddate and for you to get that installed on all your machines. Of course, developing and adopting the tools to achieve those much better results will (mostly) deprive the current AV business of its steady income stream, supplied by the current addictive update model (and, in fact, a good code integrity management system would need very little updating from the vendor at all, so the whole additive update model would die _for business users_).
So, what you're saying is, AV is necessary, but it should be according to *your* design. You'd be surprised at the cost burden that a good integrity management system imposes - possibly even greater costs than the "known virus" scanner model.
Thus, it is not in the AV developers' interests to develop or encourage the use of such alternative technologies, so they use their marketing skill to "mislead with the truth" to perpetuate the myth that AV (as it is done now) is "essential", thus ensuring the future of the AV developers and their marketeers...
This is a classic situation crying out for someone to leap in and undercut the existing market with a new and vastly better product. But I don't see that happening. You might say that "Symantec has no incentive to do so", but certainly Joe Littleprogrammer has - he could capture a chunk of the AV market, of which he has currently zero share. The problem is, integrity management products lead to greater costs than known-virus scanners.
to the point that intelligent, fairly well-informed (large corporate) systems managers not only believe the official AV marketing line they collectively write "best practice" documents and such _enshrining_ the use of exactly these products despite them being all but useless for the purposes they putatively fulfill.I defined, maybe 15 years ago, the purpose of an AV. It is to reduce the cost of using computers in a world that includes viruses.So, you'd agree that "better AV" either reduces the risk more or costs less for the same amount of risk reduction? If so, there are clearly now much more cost-beneficial ways of ensuring a medium (and larger) sized business has its computers protected from "rogue code", both in that the cost of obtaining, configuring, rolling out and the maintaining the licensing of products implementing a new approach (ignoring "switchover costs)
Most certainly. Using Linux on the desktop, for example (ignoring "switchover costs) is very low-cost. Grannyx would be even better.
are lower, AND the liklihood of being compromised once the new approach is implemented are MUCH smaller. So, that modern businesses continue to use old, largely inappropriate AV tools shows the success of the AV marketeers and their mission of "misleading with the truth"...
No, it shows that they (or at least some of them) have calculated that the costs of an alternative (*including* switchover costs - I cannot imagine why you tried to ignore those), are greater than their existing methods.
So, "misleading with the truth" is shorter, more accurate and thus, at least to my eye, more elegant...If you're hoping to be in business in the long term, then you work out what they need, and you also find out what they think they need, and then you give them both, and try to ensure that they know that they're getting both. You give them what they think they need, so that they buy your product. But you *also* give them what they *actually* need, so that they're satisfied with their purchase, and don't dump you for some other product later.And that, I suspect, is where our views of the _current_ AV market diverge.
I'm not so sure that they do. I think that most of our difference is about motives, not methods. I'm sure I've said here before, I don't know of an antivirus that's good enough to use, other than "use Linux". But you ascribe this to the profit motive of the "greedy AV companies", whereas I ascribe it to the fact that no-one has created anything better, so far.
Once upon a time the then-current implementation of what was essentially the same approach as is still in use today actually was a fairly sensible approach to the (then much smaller) problem of rogue code. However, through time the threat model changed significantly, as has the scale of the actual threat (though to listen to the marketeers you'd have trouble ascertaining this change has occurred -- it's always been really, really bad according to them! 8-) ).
As the number of happenings like the recent McAfee false-alarm increases, so the pressure mounts for a system that doesn't lead to a daily (or hourly) update requirement.
Further, a lot of the structural limitations that made many of the ugly compromises encompassed in the "old" AV model not only acceptable, but necessary, have disappeared (CPUs spending most of their massively increased processing cycles idle, massive amounts of RAM as standard, much faster hard drives, OS advances like secure(-ish) memory management, proper multi-threading and secure process separation, (near) universal and very fast networking, etc, etc) _AND_ precisely the removal of these limitations should allow the shortcomings of decent code integrity management that previously prvented it working well enough to be overcome...
None of the above are the main problem of code integrity management. The main problem is that things that we thought don't change, actually do change. Consider, for example, word macro viruses. I think that the long term answer is in the reduction of functionality of the computer, for the vast majority of people who don't need the functionality that leads to malware. Grannyx is the answer. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Spam cube, (continued)
- Re: Spam cube Drsolly (Mar 06)
- Re: Spam cube Predrag Ivanovic (Mar 07)
- Re: Spam cube Drsolly (Mar 07)
- Re: Spam cube Predrag Ivanovic (Mar 19)
- Re: Spam cube Drsolly (Mar 19)
- Re: Spam cube Nick FitzGerald (Mar 19)
- Re: Spam cube Drsolly (Mar 19)
- Re: Spam cube Nick FitzGerald (Mar 19)
- Re: Spam cube Drsolly (Mar 19)
- Re: Spam cube Nick FitzGerald (Mar 19)
- Re: Spam cube Drsolly (Mar 20)
- The AV. Gadi Evron (Mar 19)
- Re: The AV. James Kehl (Mar 20)
- Re: The AV. Drsolly (Mar 20)
- Re: Spam cube Predrag Ivanovic (Mar 07)
- Re: The AV. Drsolly (Mar 20)
- RE: Re: The AV. Larry Seltzer (Mar 20)
- Re: Spam cube Drsolly (Mar 06)
- Re: Spam cube Valdis . Kletnieks (Mar 19)
- Re: Spam cube Drsolly (Mar 20)
- Re: Spam cube Valdis . Kletnieks (Mar 20)
- Re: Spam cube Drsolly (Mar 20)
- Re: Spam cube Stephen J. Smoogen (Mar 20)