lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: michealespinola at gmail.com (Micheal Espinola Jr)
Subject: AV companies better hire good lawyers soon.

I would say your position is ridiculous, and that your reference has
no meaning or bearing on the issue at hand - which is:

Someone is creating software that scans for 'naughty' things based on
digital fingerprints.  If your software is so important that you and
your user base cannot deal with possibly up-to a few days of
inconvenience due to a false-positive - then yes, you had better
coordinate with with that software vendor to make certain your
precious software is not one of them.

Its a free market, and you will have to deal with it if you want to
play along.  Certainly you're welcome to try to improve the game while
your playing, but complaining and suing over such long-established
issues regarding AV fingerprints seems quite OOB for this list.  What
is being disclosed here that hasn't been a standing issue for 10+
years?

Someone else said, 'what about secret software?'  Don't be silly.  If
its so secret, then no one can no that it is even exists - never mind
registering a false-positive.  In a secret environment (which I have
previously worked), there are (or should be) many more safe guards in
place to deal with this type of matter - as well as the always
workable overrides. And certainly issues can be dealt with, without
having to actually give away your secret.

Also remember, how impactive this issue can be all depends on how
automated your AV software is.  You can always quarantine until you
have verified it is not truly a virus, and you can always override the
false-positive scan until updated fingerprints are released that no
longer trigger a false-positive - allowing you to continue to use the
file(s) that are generating the false-positive.

A large percentage of my black/grey-hat tools scan as viruses.  I deal
with so-called false-positives on a daily basis without a loss of
functionality or ability.


On Tue, 14 Sep 2004 09:25:52 +0200, Florian Weimer <fw@...eb.enyo.de> wrote:
> * Micheal Espinola, Jr.:
> 
> > I disagree.  Programmer's should know to submit their code to the
> > various AV companies in order to avoid false-positives.
> 
> This is a ridiculous proposition.  It's like suggesting that you have
> to submit your writings to the Department of Justice before you can
> exercise your free speech rights.
> 



-- 
-Micheal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ