[funsec] ? - I don't know where to send this one,
so I'm sending i t here...
Nick FitzGerald
nick at virus-l.demon.co.uk
Wed Nov 2 18:20:04 CST 2005
Valdis Kletnieks to me:
> > Why are our "protection" systems based on the obviously absurd
> > notion that it is somehow more useful/efficient/whatever to detect
> > more known bad stuff (which is a form of default allow) than simply
> > to detect and allow only the known good stuff (default deny)?
>
> Because Willy Wonka never *did* figure out how to sell somebody a
> second Ever-Lasting Gobstopper.
Of course I know that, but you are absolutely correct to focus on the
_suppliers'_ needs. The supplier wants an income stream. Long ago MS
realized that the way to achieve the best income stream was to
regularly update the software. The contemporary anti-virus (and then
"anti-Trojan and now anti-spyware) industry recognized it could achieve
this even better than MS with an enduring avalanche of VERY regular
updates.
Of course, why this has NEVER changed through force of pressure from
intelligent, informed, diligent system admins at large corporate and
government clients is actually the important question. The answer is,
in short, there are actually incredibly few intelligent, informed and
diligent sys-admins able to (or at least willing to try to) wield any
useful amount of economic pressure.
The reasons for that are multitudinous, with some intelligent, informed
and diligent sys-admins being ham-strung by ludicrous policies and
other entirely internally developed and enforced (within their
employing organizations) mechanisms, but it's not entirely incorrect to
say that a large part of the problem is that there are actually very
few intelligent and informed sys-admins, due to the dominant IT culture
being one of "it's right if it works" rather than one of "make this
work right".
The latter means businessmen like Dr Solly get rich supporting the
"need" of others to keep their systems stupid and ill-run...
Of course, SOHO is an entirely different kettle of fish, with "stupid
and ill-run" being a given and requiring a different approach. In
fact, current AV practices probably are the best approach for such
users, but that is no reason to adopt it or even _allow_ it in properly
designed and run corporate IT systems...
Regards,
Nick FitzGerald
More information about the funsec
mailing list