Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Full-Disclosure] (no subject)
From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Thu Aug 12 2004 - 14:25:18 CDT
Maarten to me:
> > However, if all AV vendors (and it would have to be all vendors or
> > market forces would prevent it happening, so guess what is one of the
> > largest things blocking better naming coordination?) were to agree a
> > name perfectly before _any_ of them shipped updated detection for new
> > viruses, it is a better than than fair bet that those same outsiders
> > would the be ones complaining longest and loudest about how tardy AV
> > vendors were at shipping "emergency" updates.
> There is nothing stopping AV vendors from naming freshly discovered virii with
> an internal naming scheme (VENDOR-YYYYMMDDHHxy) pending a central database /
> organisation to name the virus. Then all vendors can rename the new strain
> from their generic temporary name to the definitive name. This is trivial,
> they update virus definitions all the time, why not also update the name.
I can easily understand how someone unversed in the _market forces_
pertaining to antivirus software could hold that position, and as a
theoretical solution to the problem of lack of cross-vendor naming
coordination it has often been suggested even by though who know it
would never work in the real world.
Neat and tidy as such a solution seems, it will not, however, work. As
I explained in other of my posts in this and the related "AV Naming
Convention" thread, in general by far the largest "cost" of naming
disagreement is borne by the users in the early hours of large-scale
outbreaks. Thus, a "solution" that specifically _requires_ all vendors
to use a different name until a name is agreed (no matter what this
process it will take some _additional_ time) is, by design, an _anti-
solution_ as such a "solution", by design, ensures perfect naming
inconsistency at the time the highest cost of naming inconsistency is
Secondly, one of the greatest impediments to ongoing (as opposed to
initial, outbreak-phase) naming inconsistency is that many vendors do
not have internal processes robust enough to easily handle renaming
Bearing both in mind, it is obvious that the only likely useful
solution to this problem will be one that allows for the fastest _and
earliest_ possible resolution of "VendorX and VendorY have both just
seen samples of what is almost certainly the same thing which will be
known as..." _AND_ provides an easy, even trivial, mechanism for the
right folk at VendorX and VendorY to learn of this. _FURTHER_, even if
such a mechanism can be implemented, it will likely be useless as much
history suggests that the vendors seem unable to change (and are
certainly _unwilling_ to spend the time and effort to change their
internal procedures to allow for better naming and renaming
flexibility) unless there is some very large external stick being held
over them (such as, perhaps, some compliance requirement for AV
software to be used in any branch of the US federal government and its
many and varied agencies...).
> This could even be good for competition; the central authority could give
> credit to the first discoverer by naming the virus after the vendor who first
> found it (but I digress here).
No, please don't suggest such things. The PR and marketing folk in AV
(as everywhere else) as already dangerously clueless about what their
products do, who they do it and the "importance" of their own product.
Such a naming scheme would simply add years of totally stupid marketing
back into an industry sector where the technical folk have fought very
long and hard to reign in the stupidity of overly emotional, grossly
under-informed, generally "publicity-seeking to the detriment of the
industry as a whole" marketing moves.
> In the real world, things are very often named after their discoverers or
> inventors. Star systems, diseases, laws, etcetera.
And that is such a bad idea here for so many reasons I'm not going to
waste my breath even trying to explain more than the above comment
other than to add, much as it may not be apparent and much as it is far
from perfect, the malware naming process we use is supposed to be a
simple taxonomic system relating, at the broader view than "you have
the virus FooBar.X", the related-ness of similar code and
differentiating less similar code. Much as the current system is
imperfect, any attempt to "fix" malware naming that involves removing
the current scheme's (weak) taxonomic structure will find extremely
stiff resistance from some significant segments of the industry.
> Of course, the first thing is to form that central authority, but then again
> lots of industries have a central authority -whether decreed by law or not-
> so it's not something deemed impossible.
Sure -- if someone is prepared to pay a few salaries, it would be
relatively easy to set up some kind of "naming authority". Of course,
if this were done without _extensive_ consultation with AV developers,
it is unlikely to be worth the effort as no-one will pay much attention
to the "authority", making it somewhat less authoritative than may be
> At least there are no technical barriers to stop that, only political ones.
"this" == setting up the authority? True, the barriers to that are
primarily economic and political. There are, however, technical
barriers too. Such an authority has to have a reasonable technical
basis from which to make its classification decisions -- recall, its
purpose is to impose naming standards on the industry, and the industry
will take a very dim view of said "authority" (assuming some external
force can be brought to bear to induce or compel the industry to work
with the authority) if industry members have to spend a great deal of
time arguing the point over mis-classifications. If you have some idea
of the complexities that can surface in such discussions -- which,
given I don't recognize you as being an established AV researcher I
strongly suspect you _cannot_ -- then I doubt you'd say that there no
technical difficulties if the point of setting up such an "authority"
includes some notion that it should be functionally useful...
> Despite the high rate of development as you outline below. Using a temporary
> name is quite simple to do, ...
> ... simple to update...
False as I've hinted above and recently discussed in more detail
elsewhere (if it were easy, do you really think that a certain very
large AV vendor would still be calling the Bagle family "Beagle"?).
> ... and overall better for everyone.
False as it ensures greater naming inconsistency at the time of highest
cost _to the user_ of such inconsistency.
Some places one out of three aint bad, but in a technical sphere like
this, I'm afraid that means you have to go back to the drawing board...
(And please, before replying to this message, please, please, please,
please, please read _all_ the rest of thread -- as the only person
making a significant contribution who has more than half a clue about
how all this stuff works, what may be technically feasible, and what a
great deal of customer and industry history suggests may be acceptable,
answering the same misconceptions over and over is getting tiresome...)
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.