funsec mailing list archives
Re: Spam cube
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 20 Mar 2006 13:20:29 +1200
Drsolly to me:
In the AV market -- now a very well-established product category with "matured" marketing -- that boils down to "misleading with the truth", as the AV marketeers have fostered the totally BS notion that "AV is essential"In an ordinary collection of business computers (which means they're mostly running Windows), do you think that AV is some sort of luxury extra?
"AV as it is commonly done today" -- yes. Well, not a luxury extra, just a massive waste of money for what it delivers. It's a constant case of closing the stable door after the horse has bolted... There are much better ways _in an ordinary collection of business computers_ to secure the integrity of those machines' codebase than hoping your chsoen known virus scanner(s) are updated quickly enough and that you are always lucky enough that someone else gets hit by anything new and sufficiently ahead of that thing arriving at your buiness for your AV developer to get samples, develop and ship an upddate and for you to get that installed on all your machines. Of course, developing and adopting the tools to achieve those much better results will (mostly) deprive the current AV business of its steady income stream, supplied by the current addictive update model (and, in fact, a good code integrity management system would need very little updating from the vendor at all, so the whole additive update model would die _for business users_). Thus, it is not in the AV developers' interests to develop or encourage the use of such alternative technologies, so they use their marketing skill to "mislead with the truth" to perpetuate the myth that AV (as it is done now) is "essential", thus ensuring the future of the AV developers and their marketeers...
to the point that intelligent, fairly well-informed (large corporate) systems managers not only believe the official AV marketing line they collectively write "best practice" documents and such _enshrining_ the use of exactly these products despite them being all but useless for the purposes they putatively fulfill.I defined, maybe 15 years ago, the purpose of an AV. It is to reduce the cost of using computers in a world that includes viruses.
So, you'd agree that "better AV" either reduces the risk more or costs less for the same amount of risk reduction? If so, there are clearly now much more cost-beneficial ways of ensuring a medium (and larger) sized business has its computers protected from "rogue code", both in that the cost of obtaining, configuring, rolling out and the maintaining the licensing of products implementing a new approach (ignoring "switchover costs) are lower, AND the liklihood of being compromised once the new approach is implemented are MUCH smaller. So, that modern businesses continue to use old, largely inappropriate AV tools shows the success of the AV marketeers and their mission of "misleading with the truth"...
So, "misleading with the truth" is shorter, more accurate and thus, at least to my eye, more elegant...If you're hoping to be in business in the long term, then you work out what they need, and you also find out what they think they need, and then you give them both, and try to ensure that they know that they're getting both. You give them what they think they need, so that they buy your product. But you *also* give them what they *actually* need, so that they're satisfied with their purchase, and don't dump you for some other product later.
And that, I suspect, is where our views of the _current_ AV market diverge. Once upon a time the then-current implementation of what was essentially the same approach as is still in use today actually was a fairly sensible approach to the (then much smaller) problem of rogue code. However, through time the threat model changed significantly, as has the scale of the actual threat (though to listen to the marketeers you'd have trouble ascertaining this change has occurred -- it's always been really, really bad according to them! 8-) ). Further, a lot of the structural limitations that made many of the ugly compromises encompassed in the "old" AV model not only acceptable, but necessary, have disappeared (CPUs spending most of their massively increased processing cycles idle, massive amounts of RAM as standard, much faster hard drives, OS advances like secure(-ish) memory management, proper multi-threading and secure process separation, (near) universal and very fast networking, etc, etc) _AND_ precisely the removal of these limitations should allow the shortcomings of decent code integrity management that previously prvented it working well enough to be overcome... But there's not much "fun" in re-hashing this yet again, so I'll stop. Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Spam cube Predrag Ivanovic (Mar 06)
- Re: Spam cube Drsolly (Mar 06)
- Re: Spam cube Predrag Ivanovic (Mar 07)
- Re: Spam cube Drsolly (Mar 07)
- Re: Spam cube Predrag Ivanovic (Mar 19)
- Re: Spam cube Drsolly (Mar 19)
- Re: Spam cube Nick FitzGerald (Mar 19)
- Re: Spam cube Drsolly (Mar 19)
- Re: Spam cube Nick FitzGerald (Mar 19)
- Re: Spam cube Drsolly (Mar 19)
- Re: Spam cube Nick FitzGerald (Mar 19)
- Re: Spam cube Drsolly (Mar 20)
- The AV. Gadi Evron (Mar 19)
- Re: The AV. James Kehl (Mar 20)
- Re: The AV. Drsolly (Mar 20)
- Re: Spam cube Predrag Ivanovic (Mar 07)
- Re: The AV. Drsolly (Mar 20)
- RE: Re: The AV. Larry Seltzer (Mar 20)
- Re: Spam cube Drsolly (Mar 06)
- Re: Spam cube Valdis . Kletnieks (Mar 19)
- Re: Spam cube Drsolly (Mar 20)
- Re: Spam cube Valdis . Kletnieks (Mar 20)
- Re: Spam cube Drsolly (Mar 20)