Re: Spam cube

[Nick FitzGerald <nick () virus-l demon co uk>]

Drsolly to me:

> > In the AV market -- now a very well-established product category with 
> > "matured" marketing -- that boils down to "misleading with the truth", 
> > as the AV marketeers have fostered the totally BS notion that "AV is 
> > essential" 
>
> In an ordinary collection of business computers (which means they're
> mostly running Windows), do you think that AV is some sort of luxury 
> extra?

"AV as it is commonly done today" -- yes.

Well, not a luxury extra, just a massive waste of money for what it 
delivers.  It's a constant case of closing the stable door after the 
horse has bolted...

There are much better ways _in an ordinary collection of business 
computers_ to secure the integrity of those machines' codebase than 
hoping your chsoen known virus scanner(s) are updated quickly enough 
and that you are always lucky enough that someone else gets hit by 
anything new and sufficiently ahead of that thing arriving at your 
buiness for your AV developer to get samples, develop and ship an 
upddate and for you to get that installed on all your machines.  Of 
course, developing and adopting the tools to achieve those much better 
results will (mostly) deprive the current AV business of its steady 
income stream, supplied by the current addictive update model (and, in 
fact, a good code integrity management system would need very little 
updating from the vendor at all, so the whole additive update model 
would die _for business users_).

Thus, it is not in the AV developers' interests to develop or encourage 
the use of such alternative technologies, so they use their marketing 
skill to "mislead with the truth"  to perpetuate the myth that AV (as 
it is done now) is "essential", thus ensuring the future of the AV 
developers and their marketeers...

> > to the point that intelligent, fairly well-informed (large 
> > corporate) systems managers not only believe the official AV marketing 
> > line they collectively write "best practice" documents and such 
> > _enshrining_ the use of exactly these products despite them being all 
> > but useless for the purposes they putatively fulfill.
>
> I defined, maybe 15 years ago, the purpose of an AV. It is to reduce the
> cost of using computers in a world that includes viruses.

So, you'd agree that "better AV" either reduces the risk more or costs 
less for the same amount of risk reduction?

If so, there are clearly now much more cost-beneficial ways of ensuring 
a medium (and larger) sized business has its computers protected from 
"rogue code", both in that the cost of obtaining, configuring, rolling 
out and the maintaining the licensing of products implementing a new 
approach (ignoring "switchover costs) are lower, AND the liklihood of 
being compromised once the new approach is implemented are MUCH 
smaller.  So, that modern businesses continue to use old, largely 
inappropriate AV tools shows the success of the AV marketeers and their 
mission of "misleading with the truth"...

> > So, "misleading with the truth" is shorter, more accurate and thus, at 
> > least to my eye, more elegant...
>  
> If you're hoping to be in business in the long term, then you work out 
> what they need, and you also find out what they think they need, and then 
> you give them both, and try to ensure that they know that they're getting 
> both.
>
> You give them what they think they need, so that they buy your product.
>
> But you *also* give them what they *actually* need, so that they're 
> satisfied with their purchase, and don't dump you for some other product 
> later.

And that, I suspect, is where our views of the _current_ AV market 
diverge.  Once upon a time the then-current implementation of what was 
essentially the same approach as is still in use today actually was a 
fairly sensible approach to the (then much smaller) problem of rogue 
code.  However, through time the threat model changed significantly, as 
has the scale of the actual threat (though to listen to the marketeers 
you'd have trouble ascertaining this change has occurred -- it's always 
been really, really bad according to them!  8-) ).  Further, a lot of 
the structural limitations that made many of the ugly compromises 
encompassed in the "old" AV model not only acceptable, but necessary, 
have disappeared (CPUs spending most of their massively increased 
processing cycles idle, massive amounts of RAM as standard, much faster 
hard drives, OS advances like secure(-ish) memory management, proper 
multi-threading and secure process separation, (near) universal and 
very fast networking, etc, etc) _AND_ precisely the removal of these 
limitations should allow the shortcomings of decent code integrity 
management that previously prvented it working well enough to be 
overcome...

But there's not much "fun" in re-hashing this yet again, so I'll stop.


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.