| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: (no subject) Maarten to me: > > However, if all AV vendors (and it would have to be all vendors or > > market forces would prevent it happening, so guess what is one of the > > largest things blocking better naming coordination?) were to agree a > > name perfectly before _any_ of them shipped updated detection for new > > viruses, it is a better than than fair bet that those same outsiders > > would the be ones complaining longest and loudest about how tardy AV > > vendors were at shipping "emergency" updates. > > There is nothing stopping AV vendors from naming freshly discovered virii with > an internal naming scheme (VENDOR-YYYYMMDDHHxy) pending a central database / > organisation to name the virus. Then all vendors can rename the new strain > from their generic temporary name to the definitive name. This is trivial, > they update virus definitions all the time, why not also update the name. I can easily understand how someone unversed in the _market forces_ pertaining to antivirus software could hold that position, and as a theoretical solution to the problem of lack of cross-vendor naming coordination it has often been suggested even by though who know it would never work in the real world. Neat and tidy as such a solution seems, it will not, however, work. As I explained in other of my posts in this and the related "AV Naming Convention" thread, in general by far the largest "cost" of naming disagreement is borne by the users in the early hours of large-scale outbreaks. Thus, a "solution" that specifically _requires_ all vendors to use a different name until a name is agreed (no matter what this process it will take some _additional_ time) is, by design, an _anti- solution_ as such a "solution", by design, ensures perfect naming inconsistency at the time the highest cost of naming inconsistency is borne. Secondly, one of the greatest impediments to ongoing (as opposed to initial, outbreak-phase) naming inconsistency is that many vendors do not have internal processes robust enough to easily handle renaming Bearing both in mind, it is obvious that the only likely useful solution to this problem will be one that allows for the fastest _and earliest_ possible resolution of "VendorX and VendorY have both just seen samples of what is almost certainly the same thing which will be known as..." _AND_ provides an easy, even trivial, mechanism for the right folk at VendorX and VendorY to learn of this. _FURTHER_, even if such a mechanism can be implemented, it will likely be useless as much history suggests that the vendors seem unable to change (and are certainly _unwilling_ to spend the time and effort to change their internal procedures to allow for better naming and renaming flexibility) unless there is some very large external stick being held over them (such as, perhaps, some compliance requirement for AV software to be used in any branch of the US federal government and its many and varied agencies...). > This could even be good for competition; the central authority could give > credit to the first discoverer by naming the virus after the vendor who first > found it (but I digress here). No, please don't suggest such things. The PR and marketing folk in AV (as everywhere else) as already dangerously clueless about what their products do, who they do it and the "importance" of their own product. Such a naming scheme would simply add years of totally stupid marketing back into an industry sector where the technical folk have fought very long and hard to reign in the stupidity of overly emotional, grossly under-informed, generally "publicity-seeking to the detriment of the industry as a whole" marketing moves. > In the real world, things are very often named after their discoverers or > inventors. Star systems, diseases, laws, etcetera. And that is such a bad idea here for so many reasons I'm not going to waste my breath even trying to explain more than the above comment other than to add, much as it may not be apparent and much as it is far from perfect, the malware naming process we use is supposed to be a simple taxonomic system relating, at the broader view than "you have the virus FooBar.X", the related-ness of similar code and differentiating less similar code. Much as the current system is imperfect, any attempt to "fix" malware naming that involves removing the current scheme's (weak) taxonomic structure will find extremely stiff resistance from some significant segments of the industry. > Of course, the first thing is to form that central authority, but then again > lots of industries have a central authority -whether decreed by law or not- > so it's not something deemed impossible. Sure -- if someone is prepared to pay a few salaries, it would be relatively easy to set up some kind of "naming authority". Of course, if this were done without _extensive_ consultation with AV developers, it is unlikely to be worth the effort as no-one will pay much attention to the "authority", making it somewhat less authoritative than may be desirable... > At least there are no technical barriers to stop that, only political ones. "this" == setting up the authority? True, the barriers to that are primarily economic and political. There are, however, technical barriers too. Such an authority has to have a reasonable technical basis from which to make its classification decisions -- recall, its purpose is to impose naming standards on the industry, and the industry will take a very dim view of said "authority" (assuming some external force can be brought to bear to induce or compel the industry to work with the authority) if industry members have to spend a great deal of time arguing the point over mis-classifications. If you have some idea of the complexities that can surface in such discussions -- which, given I don't recognize you as being an established AV researcher I strongly suspect you _cannot_ -- then I doubt you'd say that there no technical difficulties if the point of setting up such an "authority" includes some notion that it should be functionally useful... > Despite the high rate of development as you outline below. Using a temporary > name is quite simple to do, ... True... > ... simple to update... False as I've hinted above and recently discussed in more detail elsewhere (if it were easy, do you really think that a certain very large AV vendor would still be calling the Bagle family "Beagle"?). > ... and overall better for everyone. False as it ensures greater naming inconsistency at the time of highest cost _to the user_ of such inconsistency. Some places one out of three aint bad, but in a technical sphere like this, I'm afraid that means you have to go back to the drawing board... (And please, before replying to this message, please, please, please, please, please read _all_ the rest of thread -- as the only person making a significant contribution who has more than half a clue about how all this stuff works, what may be technically feasible, and what a great deal of customer and industry history suggests may be acceptable, answering the same misconceptions over and over is getting tiresome...) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists