lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <B99D046F7F16A34EA7926E14DD82F5A114CCF2@exchny28.ny.ssmb.com>
From: jan.m.clairmont at citigroup.com (Clairmont, Jan M)
Subject: AV Naming Convention It is who fixes it first.

It's about detection and fixing the problem first. Who has a 
fix and has a methodology for fixing it reports it and puts the
link/methodology/information in the database so all who are still
trying to respond can benefit from that information.  Everyone fixes it eventually, but then the company/person/contributor 
gains the benefit of first finder's name and the rest of us get to respond and defeat the offending malware/virus/spam etc.Naming could have many aliases in the database to, just in case their
is some dispute. It would also make it searchable by alias, time, day etc.


This reporting system would be free for information only,
free downloads .dll fixes or links to the vendors site for
fixes.  You would subscribe or unsubscribe at your leisure.
Again non-vendor specific, it might just be the name
of the offending type, security level threat and a link to 
the fix for each vendor's updates.  Then a standard update and 
methodology by the vendor.  

It could contain spam filters for mailers, virus scan 
identifiers, etc.  No virus or actual malware just fixes for
cleaning and debugging.  Also a daily spam list would be great for people who would like to automatically eliminate spam from
their favorite mail utility(outlook, mail, pine ad naseum).

This discussion is great, good discussion all.   
Jan Clairmont
Firewall Administrator/Consultant


-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Nick
FitzGerald
Sent: Wednesday, August 11, 2004 5:11 AM
To: full-disclosure@...sys.com
Subject: RE: [Full-Disclosure] AV Naming Convention


Frank Knobbe to Glenn Everhart:

> > Given the time allowed to do this work, it seems a cross reference after
> > the fact is probably the best one can hope for.
> 
> Perhaps they could elect one person (of each AV shop) to be a naming
> mediator between the organizations.  ...

Pick me, please -- I just love being woken up at 3:42am because folk in 
Russia are working a new virus I already saw hours ago and we now have 
to agree on a name...

That's right -- we don't all work for companies based in the same 
continent, let all work in the same place as all the other folk doing 
analysis for our own companies.

> ...  Competition is still ensured...
> after all, everyone wants to get it out first. Here's another incentive.

Do you work in marketing?  If not, please get that stupid idea out of 
your head (if you do work in marketing then I assume you are 
genetically unable to think sensibly about the following).  

Most of antivirus researchers do _NOT_ work that way, regardless of who 
their employers are (and formerly, when a few such employers were dumb 
enough to try to use gag-clauses in their employment contracts these 
were often ignored anyway).  

> First one out to propose a new virus/strain can give it a name. All
> prominent AV shops could, to help industry and consumers (marketing
> opportunity here), come to an agreement that governs how names are
> standardized. First representative of an AV shop that raises the hand
> says "We got a new one! Can't give details of course since you are a
> competitor. But if you find the same thing in your research, let's call
> it Humptydumpty-2."

Pray tell, how are "name proposers" to convey to their peers which 
virus they have just found?  You say that they should not give details 
of the virus, yet as (part of) the naming problem is that there is no 
natural and unique naming method, simply knowing that another 
researcher called some virus "FooBar" gives one _NO_ insight into 
whether the new virus they are now looking at is a sample of FooBar.

Oh, and the competition thing -- that's not how things work.  The AV 
industry is a great deal better for having driven the John McAfees out 
all those years ago, along with the divisive and damaging (both to the 
customer and the industry) "sample competitiion" folk like him had been 
encouraging.  If you really are an AV user, you'd be about the only one 
who is apparently keen to return to those "bad old days".

> Whoever finds the virus first has first choice on the name. No sharing
> of information required, just agreement on a name.

That is what we have now, which I thought was seen as a problem...

Also, how does some other researcher know that FooBar and the new virus 
they've just been handed to analyse and add to their employer's product 
is, or is not, one and the same thing?

You seem to be forgetting that a name is just a label and, alone, 
imparts no identity information.

> Is that so hard?

Well, it would be if anyone was daft enough to try to do it as you 
describe...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ