Re: (no subject)

[Michel Messerschmidt <lists () michel-messerschmidt de>]

On Sun, Aug 15, 2004 at 01:52:33PM +0200, Maarten wrote:
> On Sunday 15 August 2004 04:52, Nick FitzGerald wrote:
> > Maarten wrote:
> yada yada.  You may work in the industry (and be blind because of it) and I 
> may have an incredible high IQ (so much higher than yours that you perceive 
> I'm stupid instead).
> But the thing is, you don't know that.  So stop bashing me and showing off.
> You can shine by your actions, not by your reputation...

So what is your knowledge about malware naming ?
You know about the wildlist and its problems, Vgrep, CARO, 'naming.txt' 
and its use in the last 10 years ?
You have ever tried to maintain and work with a malware collection ?
You know about previous (and more in-depth) discussions on this topic ?
You've read at least http://www.securityfocus.com/infocus/1587
and http://www.virusbtn.com/magazine/archives/200301/caro.xml
to get a basic idea of the problem ?
So what rational fact makes you believe you know this better than everyone 
else ?


> All change starts small.  Maybe discussions such a this will wake people up, 
> maybe there will even be a voiced demand from the public.  That DOES hurt 
> sales, thus shareholders, which is what you need to have done, right ?
> The only thing I'm sure about is, YOU will not be instrumental in this.

Do you really think, there were any new ideas here ?
For an example, here at the antiVirusTestCenter we have discussed the naming
problems for years. But even the partial solutions that have been realized
(LOKMM, VMacro-Server) haven't caused significant changes. And this was in
cooperation with many AV researchers. 
How should such an annoying thread like this really help ? Do you also 
believe you can convince MS to make Windows OpenSource just by posting here ?


> Well, just for you, to make it simple.  
> At Time T you find a virus and name it whatever you like (just as you do now).  
> > From time T until T+48h you have the "all-important hours" of confusion as 
> you are so adamant to repeat at every opportunity. So let there be confusion. 
> At Time T+50 you agree upon a singular standardized name and rename it.
>
> So, compared to now, what has changed between T and T+48 ?? Nothing.  So stop 
> complaining about me messing up those "all-important hours" of yours.  I'm 
> not messing anything up.  I'm renaming when the panic has died down. 
> Get it now ?!?!

And what is the benefit of your proposal? Have you considered that it may 
be just another source of confusion ? There could be uncoordinated 
renamings, the same malware alerts with old and new names (but this time 
from the same vendor). Adminstrators may not be able to compare scan reports
from different malware definition updates because the names changed in 
between.


> > The first few hours _under current processes_ produce nearly all of the
> > confusion caused by naming inconsistencies.  Media outlets latch onto
>
> This is not a scientific fact, and I do not agree with you.

I can't remember _any_ scientific fact in this thread.

-- 
Michel Messerschmidt           lists () michel-messerschmidt de
antiVirusTestCenter, Computer Science, University of Hamburg

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html