From: fulldisc at ultratux.org (Maarten)
Subject: (no subject)

On Sunday 15 August 2004 04:52, Nick FitzGerald wrote:
> Maarten wrote:
> > First off:  Nick, please lose that damn attitude of yours !
>
> Why?

Because you're being rude, and anti-social.  You don't score points with this.
Jeez why do I even HAVE to explain things like this.  SO typical.

> You're clearly ignorant of what you are talking about, yet you speak
> with an air as if you do know something about the topic.  Further, your
> ignorance would have been cured by carefully reading all of the
> foregoing thread.  There's a point where the idiocy and chutzpah that
> several have shown in this thread makes them no longer worthy of polite
> consideration and at that point I usually adopt the "beat it into them
> in case that helps" approach...

yada yada.  You may work in the industry (and be blind because of it) and I 
may have an incredible high IQ (so much higher than yours that you perceive 
I'm stupid instead).
But the thing is, you don't know that.  So stop bashing me and showing off.
You can shine by your actions, not by your reputation...

> > Further, by hammering on the endless
> > we-have-done-it-for-many-years-so-who are-you-to-tell-us-differently part
> > you're actually making yourself part of the problem, not part of the
> > solution.
>
> You show more and more of your ignorance each time you open your mouth.

You ARE part of the problem !  You leave no opportunity unused to bash 
opponents instead of using solid arguments.

> _If_ this "problem" is ever solved, it is very likely that I will have
> been a not insignificant part of that solution.  I can't prove that to
> you but it is "just one of those things" and probably undeniable to
> anyone who knows what they are talking about when discussing this
> problem.

Which coincidentally, by your own admission, would be only you.
So you're effectively saying: "I will probably agree with myself." 
Well, whoopty-doo...  big surprise there. 

> > You're saying that internal procedures make it so difficult to adapt
> > names after the fact.  When in fact the strength of a company, any
> > company, IS to be able to adapt to changing circumstances.
> > And if they're not able to, eventually they will go the way of the
> > dinosaurs.
>
> You are confusing two different aspects of the AV industry.  Yes, the
> industry has to be quite flexible and able to quickly react to
> significant shifts in the malware detection problem set.  That does not
> mean it has to be equally flexible (or even "flexible in the tiniest
> little bit") when it comes to malware naming, as the last 15 years of
> commercial AV software development, marketing and sales prove.  Your
> suggestion is found wanting in the light of significant history -- care
> to make some more obviously uninformed comments??

I'm not confusing anything.  The statement about needing to be flexible 
applies to ALL companies, on ALL aspects.  It is stupid to think that a 
company can be inflexible in one thing while being flexible in another.

> > The only thing Todd (and I) are trying to say is that it is possible to
> > rename after the fact.  ...
>
> Of course it is.
>
> I never denied that.

Yes, you did. 

> I have, however, pointed out several reasons why that generally doesn't
> happen, why that situation is very unlikely to change  _AND_ why it
> would not be particularly helpful even if it did change.  In response
> to those explanations you and Todd (and some others) just keep dumbly
> repeating "but they should change".
>
> Something we both agree on.
>
> The difference is that in designing a better naming system, I am not
> limited to parrotting stupid inanities about things I don't understand
> -- I can analyse the history in multi-layered and interacting terms of
> the industry's technical, economic and political development, its
> current internal culture, place that in larger market and political
> contexts, and as a result make useful suggestions that are much more
> likely to be adopted inside the industry and that mean the industry can
> change to better suit those external factors.  I can also advise those
> "outside" AV what elements of those environments they may best and most
> easily change to increase the likelihood the AV industry will make
> "suitable" changes.

No, you're a shining example of being too close to your subject to have an 
impartial and unclouded view.

> I await your parrot squawk response...
>
> NOT!

I'm happy to say I don't care whether you await it or not. 

> > ...  I don't #!%$&* care how many old Cobol programs need
> > adapting for that to "get" possible, but the fact remains that it IS.
>
> _Theoretically_, yes.
>
> I have now lost track of how many times I have agreed with you (and
> others) on this now.
>
> The larger and much more salient fact is that, in today's market (and
> everything that has gone before it), there is no compelling reason for
> several of the very large players to make the expenditure and introduce
> the huge upheavals to internal processes (that are clearly working
> because these companies have not gone the way of the dinosaurs and, to
> the contrary, are experiencing some of their strongest growth ever)
> that fixing the naming problem will require.

All change starts small.  Maybe discussions such a this will wake people up, 
maybe there will even be a voiced demand from the public.  That DOES hurt 
sales, thus shareholders, which is what you need to have done, right ?
The only thing I'm sure about is, YOU will not be instrumental in this.

> > Don't start again about how your current procedures may prevent or
> > complicate that.  Worse integration problems, by far more complex and
> > bigger companies or conglomerates are being tackled every day.  Yeah. To
> > name a few ? How about mergers, or international intelligence-exchange
> > between law enforcement agencies.  Do you think that they let anyone stop
> > them by complaining that database format X isn't readily compatible with
> > format Y ? No. They fix it, they make it work together no matter what.
> > So don't start about how impossible it is for you to rename one simple
> > entry.
>
> Both your belief in, and your abject inability to see, your own
> ignorance are truly astonishing!

Saying someone is ignorant without proving that only makes yourself look 
stupid.  

> As Valdis (?) has already addressed the most egregious flaws of your
> "logic" here, I'll move on other, more AV-specific issues.

Valdis only mentioned economics.  We agree on the economic situation. 
But you're not focussing on that AT ALL.  You are saying there are technical 
reasons not to.  Like the next point, which I'll -sigh- explain to you again.

> > To conclude, I'd like to put serious question marks by your statement
> > that the first few hours are the all-important ones.  First off, by
> > renaming after the fact (after the first few hours/days/weeks) no-one is
> > changing ANYTHING about those first hours so you shouldn't have ANY
> > complaint regarding that.
>
> Huh???
>
> What _are_ you trying to say?

Well, just for you, to make it simple.  
At Time T you find a virus and name it whatever you like (just as you do now).  
>From time T until T+48h you have the "all-important hours" of confusion as 
you are so adamant to repeat at every opportunity. So let there be confusion. 
At Time T+50 you agree upon a singular standardized name and rename it.

So, compared to now, what has changed between T and T+48 ?? Nothing.  So stop 
complaining about me messing up those "all-important hours" of yours.  I'm 
not messing anything up.  I'm renaming when the panic has died down. 
Get it now ?!?!

>
> The first few hours _under current processes_ produce nearly all of the
> confusion caused by naming inconsistencies.  Media outlets latch onto

This is not a scientific fact, and I do not agree with you.

> the multiple names (though some will only report one of these, at least
> initially).  System admins get multiple reports and warnings of new
> outbreaks and have to work out whether the updates from the three (or
> more) different AV suppliers whose products they use all cover "all" of
> the new viruses (which may only be one, but the admins don't know yet).
> Then, after the initial hub-bub dies down, the way all the foregoing
> works produces a (modest to significant) negative pressure on the  AV
> companies to change the name reported by their scanner -- they have
> sent out alerts to system admins with their initial name and as
> confusing as it was at the time that this was not the same name as some
> of the competition used the admins of their scanners have become
> somewhat familiar with that name, the major news agencies all included
> that company's name for the malware in their reports so folk will come
> looking for that name at their web site, and so on.  Those everyday
> (well, every incident) negative pressures for name change further
> reduce any perceived ROI of changing the processes that would allow for
> much greater naming flexibility (when viewed as a business issue,
> rather than as a theoretical or technical one).

Are you thick ?  Of course they will not "further reduce" that.  If anything, 
increase it. Negative press hurts the bottom line, or does your special 
universe work differently ? 

> > Secondly, a lot of the confusion only comes later. The guys that have
> > their AV software up and running and current mostly do not suffer from
> > the outbreaks. The problem often comes (much) later, with the people who
> > didn't update, 'forgot to', or plain disregard any security or updates
> > whatsoever.  And then you are only called in to fix things when stuff is
> > really breaking down. Or are you saying you've never been asked to
> > de-toxify your parents'-, friends'- or siblings'- computers that got
> > infested despite everything ? Everyone has.
>
> I did not say that there were not downstream problems as a result of
> not renaming.  I said the majority of the cost (as a business factor)
> of naming inconsistency occurs in the first few hours of an "outbreak"
> situation, either directly (e.g. the sysadmins rushing round trying to
> work out if the three alerts from three different vendors in the last
> 15 minutes for FooBar.AB, FooBar.AC and FooBar.AD are, in fact, just
> different names for one virus or two or three new variants they then
> have to ensure all their products get updated to detect ASAP) or
> indirectly (the media reports start to be written as the developers
> post alerts to sysadmins, and these promulgate _and preserve_ further
> confusion based on the mish-mash of names from early in an outbreak,
> and worse, can add their own cutesy, media-coined names to further mess
> things up).

This comes at a significant cost to the AV company too:  when not renaming, 
they still have to compare their viruses found to all the competitors' ones, 
if only to be able to update their description pages. 

But there is another glaring hole in your whole approach.  On the one hand you 
say that those early hours are the problem, yet you keep saying you're 
categorically refusing to tackle that, in earlier posts.  So are you part of 
the problem, or not ?

> Those are the reasons why renaming after the event will not
> significantly reduce the costs and complications of naming confusion.
>
> Before you respond Maarten, please re-read the whole thread again to
> see how many times this has already been explained...  (Note that I
> consider this and the parallel thread on naming conventions to be part
> of the same thread.)

I do too.    Please get it into your thick head that it IS conceivable that 
someone not agreeing with you  !=  someone is wrong.  The world doesn't 
revolve around you and your views, you know.  

> > Oh and P.S.:  Yes, I did read all of the threads pertaining to this.
>
> It's a pity you didn't understand what you read then, as you have
> presented no good arguments against the points I have now made several
> times, and mostly you simply regurgitate the clue-free comments that
> you have already made.

If there is someone who's endlessly repeating himself, it is you.

> I am now very tired of repeating myself and having you and some others
> fail to grasp the slightest bit of what I have been explaining.  If all
> you do is repeat yourself again I shall most likely just ignore you, as
> I have better things to do with my time than beat my head against the
> block wall of your ignorance.

Funny, I thought the exact same thing myself.  So we'll probably stop this 
discussion that is going nowhere anyway.  Have a nice life the the AV 
research industry.  And when (not if, when) the time comes that y'all DO 
agree on fixing the naming problem, maybe you'll think of me for a second. 
Okay ?

Maarten

Powered by blists - more mailing lists