lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 17 May 2010 03:34:31 +0100
From: "lsi" <stuart@...erdelix.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Windows' future (reprise)

On 16 May 2010 at 12:22, Christian Sciberras wrote:

>> An interesting point - Unicode?
>> 
>> I don't think 5Mb files are infeasible, especially as time passes,
>> that'll be just a blip before long.

> You call it a "blip" yet you are counting in infections for *everywhere* and
> *anyone* so, what makes you think service providers (which have been comfy
> in the last 6 years with a dialup-grade connection) to abruptly switch to
> high-speed fiber-optic?

Well, just because network capacity is also growing at an exponential 
rate.  I take your point, some people don't have high-speed 
connections.  This will slow things down a bit, but that's all..

> I'm just saying that your statistics are based on too little variables

What else could I use?  x=time, y=amount.  I'm not sure how I could 
use more than two variables.  Those are the only numbers I get from 
Symantec's data.

> You yourself mentioned an error margin of ~24%. This will only *grow* by
> next year.

It's an average, so I thought it might auto-correct.  There was a 
similar dip in 2006.

> Lastly, I stand my point: Malware cannot be taken is a combination (as you
> and other certain "specialists" think of it). Reason number one being that a
> software combination (hash) can vary from between "malware", "useful" or
> "utterly useless"; ie, the combination of having only malware is so
> undefinable that you can't put it in any equation.

I think I understand, you're saying a virus can't be a random string, 
and I agree.  That is the job of the obfuscator, to make the virus as 
random as possible, while retaining the integrity of the logic.

I thought you were saying that the ASCII character set has 
insufficient characters to permit x billion combinations, so I 
wondered whether Unicode would.

The problem of defining malware is not mine.  All I'm doing is 
analysing Symantec's stats.  Symantec have already examined the 
sample and classified it as malware, before it gets included in the 
stats.  Symantec's stats might be dodgy, but I doubt it, surely they 
wouldn't waste their time?

> Symantec's results are not wrong, it is how you/people use them that may be
> wrong, such as attempting to predict anything out of them.

The time-series analysis I did is commonly used to make forecasts.  
It is an accepted practice to take time-series data and extrapolate 
from it.  Of course, there is an element of uncertainty, especially 
if the data is weak (small sample size, bias in the data etc).  I was 
disappointed I only got 75.4%.

What I will concede is that the conclusions I have drawn from the 
results of the analysis may well be wrong.  I don't work in an AV 
company and can only report what I see in the field.  I can see those 
numbers going up, and up, and up, and it's only natural to wonder 
where it will end.  I can also see my customers' computers running 
slower and slower, and I know what sort of performance kick is 
possible if AV is disabled, and I know that virus scans take longer 
and longer to complete.

So I do think it's a fair question to ask - will my computer handle 
billions of threats?  Does it make sense to be relying on AV to 
protect my customer's computers?  Is this house really on fire, or is 
that completely normal?  What answer should I give, when my customers 
ask me, how can I stop this from happening  again?  When my customer 
is about to make an expensive strategic purchase, what points should 
I make, concerning long-term planning?  Is my business at risk, if I 
say the wrong thing, and my customers go out of business because 
their hardware/software combination is no longer viable?  I imagine 
these questions are on the minds of many IT managers, and with a 
chart on the wall showing 243% mutation, it is only reasonable that 
they be asked.

Stu

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ