[funsec] Spam cube

Drsolly drsollyp at drsolly.com
Mon Mar 20 05:52:45 CST 2006

On Mon, 20 Mar 2006, Nick FitzGerald wrote:

> Drsolly to me:
> > > In the AV market -- now a very well-established product category with 
> > > "matured" marketing -- that boils down to "misleading with the truth", 
> > > as the AV marketeers have fostered the totally BS notion that "AV is 
> > > essential" 
> > 
> > In an ordinary collection of business computers (which means they're
> > mostly running Windows), do you think that AV is some sort of luxury 
> > extra?
> "AV as it is commonly done today" -- yes.
> Well, not a luxury extra, just a massive waste of money for what it 
> delivers.  It's a constant case of closing the stable door after the 
> horse has bolted...

No, it's closing a billion stable doors after a few horses got out.
> There are much better ways _in an ordinary collection of business 
> computers_ to secure the integrity of those machines' codebase than 
> hoping your chsoen known virus scanner(s) are updated quickly enough 
> and that you are always lucky enough that someone else gets hit by 
> anything new and sufficiently ahead of that thing arriving at your 
> buiness for your AV developer to get samples, develop and ship an 
> upddate and for you to get that installed on all your machines.  Of 
> course, developing and adopting the tools to achieve those much better 
> results will (mostly) deprive the current AV business of its steady 
> income stream, supplied by the current addictive update model (and, in 
> fact, a good code integrity management system would need very little 
> updating from the vendor at all, so the whole additive update model 
> would die _for business users_).

So, what you're saying is, AV is necessary, but it should be according to 
*your* design.

You'd be surprised at the cost burden that a good integrity management 
system imposes - possibly even greater costs than the "known virus" 
scanner model.
> Thus, it is not in the AV developers' interests to develop or encourage 
> the use of such alternative technologies, so they use their marketing 
> skill to "mislead with the truth"  to perpetuate the myth that AV (as 
> it is done now) is "essential", thus ensuring the future of the AV 
> developers and their marketeers...

This is a classic situation crying out for someone to leap in and undercut
the existing market with a new and vastly better product. But I don't see
that happening. You might say that "Symantec has no incentive to do so",
but certainly Joe Littleprogrammer has - he could capture a chunk of the
AV market, of which he has currently zero share.
The problem is, integrity management products lead to greater costs than 
known-virus scanners.

> > > to the point that intelligent, fairly well-informed (large 
> > > corporate) systems managers not only believe the official AV marketing 
> > > line they collectively write "best practice" documents and such 
> > > _enshrining_ the use of exactly these products despite them being all 
> > > but useless for the purposes they putatively fulfill.
> > 
> > I defined, maybe 15 years ago, the purpose of an AV. It is to reduce the
> > cost of using computers in a world that includes viruses.
> So, you'd agree that "better AV" either reduces the risk more or costs 
> less for the same amount of risk reduction?
> If so, there are clearly now much more cost-beneficial ways of ensuring 
> a medium (and larger) sized business has its computers protected from 
> "rogue code", both in that the cost of obtaining, configuring, rolling 
> out and the maintaining the licensing of products implementing a new 
> approach (ignoring "switchover costs) 

Most certainly. Using Linux on the desktop, for example (ignoring 
"switchover costs) is very low-cost. Grannyx would be even better.

> are lower, AND the liklihood of 
> being compromised once the new approach is implemented are MUCH 
> smaller.  So, that modern businesses continue to use old, largely 
> inappropriate AV tools shows the success of the AV marketeers and their 
> mission of "misleading with the truth"...

No, it shows that they (or at least some of them) have calculated that the
costs of an alternative (*including* switchover costs - I cannot imagine
why you tried to ignore those), are greater than their existing methods.

> > > So, "misleading with the truth" is shorter, more accurate and thus, at 
> > > least to my eye, more elegant...
> >  
> > If you're hoping to be in business in the long term, then you work out 
> > what they need, and you also find out what they think they need, and then 
> > you give them both, and try to ensure that they know that they're getting 
> > both.
> > 
> > You give them what they think they need, so that they buy your product.
> > 
> > But you *also* give them what they *actually* need, so that they're 
> > satisfied with their purchase, and don't dump you for some other product 
> > later.
> And that, I suspect, is where our views of the _current_ AV market 
> diverge.

I'm not so sure that they do. I think that most of our difference is about 
motives, not methods. I'm sure I've said here before, I don't know of an 
antivirus that's good enough to use, other than "use Linux". But you 
ascribe this to the profit motive of the "greedy AV companies", whereas I 
ascribe it to the fact that no-one has created anything better, so far.

>  Once upon a time the then-current implementation of what was 
> essentially the same approach as is still in use today actually was a 
> fairly sensible approach to the (then much smaller) problem of rogue 
> code.  However, through time the threat model changed significantly, as 
> has the scale of the actual threat (though to listen to the marketeers 
> you'd have trouble ascertaining this change has occurred -- it's always 
> been really, really bad according to them!  8-) ). 

As the number of happenings like the recent McAfee false-alarm increases, 
so the pressure mounts for a system that doesn't lead to a daily (or 
hourly) update requirement.

> Further, a lot of 
> the structural limitations that made many of the ugly compromises 
> encompassed in the "old" AV model not only acceptable, but necessary, 
> have disappeared (CPUs spending most of their massively increased 
> processing cycles idle, massive amounts of RAM as standard, much faster 
> hard drives, OS advances like secure(-ish) memory management, proper 
> multi-threading and secure process separation, (near) universal and 
> very fast networking, etc, etc) _AND_ precisely the removal of these 
> limitations should allow the shortcomings of decent code integrity 
> management that previously prvented it working well enough to be 
> overcome...

None of the above are the main problem of code integrity management. The 
main problem is that things that we thought don't change, actually do 
change. Consider, for example, word macro viruses.

I think that the long term answer is in the reduction of functionality of 
the computer, for the vast majority of people who don't need the 
functionality that leads to malware. Grannyx is the answer.

More information about the funsec mailing list