[Full-Disclosure] (no subject)

Barry Fitzgerald bkfsec at sdf.lonestar.org
Fri Aug 13 16:16:47 BST 2004 

Harlan Carvey wrote:

>Barry,
>
>  
>
>One other thing I'd like to throw into the mix.  This
>whole discussion is being viewed, it seems to me from
>the wrong perspective.  The attitude that the entire
>A/V industry should have a common naming convention
>seems to be coming from the open source camp...while
>A/V companies aren't necessarily open source. 
>Companies in general are about making money, and you
>do that through establishing and maintaining
>competitive advantages.  Expending resources (ie,
>people, money, time, etc) on an endeavor to establish
>and maintain a common naming scheme is an expenditure
>that has very little (if any) ROI...it can't be
>justified to investors.
>
>  
>
Agreed in general - though I'm not sure if it's an "open source" issue 
specifically... I've known many Free Software/Open Source people who are 
opposed to being held to standards bodies and "closed source" people who 
are absolutely sticky about adherance to standards.  Both perspectives 
have their downsides.  Nonetheless, that's a nitpicking issue -- your 
primary point is absolutely correct:  You can't enforce it;  They don't 
want to do it (and I'm inclined to think they probably shouldn't want to 
do it -- it's sort of like telling someone that they have to name their 
kid a certain way so that others can pronounce their name); the problem 
must be solved some other way.

>How are A/V companies competitive?  They identify and
>analyze malware, and update their products.  Doing it
>faster and better than the next guy is the key. 
>Slowing that process down to coordinate with other
>companies dissolves the advantage.  Let's say I
>discover a piece of malware, and call a round table
>meeting...only to find out that none of the other
>members have discovered the malware yet.  My advantage
>goes bye-bye.
>
>
>  
>
I think that the problem is being looked at as an industry policing 
issue when it's really an informational issue. 

By this I mean that the issue is in how the information on said malware 
is distributed and "digested" by the masses.  If there were a central 
information repository to go to for all of the advisories and for a 
combined write-up, it'd reduce some of the confusion. 

It wouldn't cost the AV vendors a thing because it would be a seperate 
organization.  The trick would be funding.  Starting a small site is one 
thing, but a site of this magnitude would have to be funded somehow.  Ad 
revenue probably wouldn't be enough for the 
bandwidth/equipment/man-hours to put something like this together...

          -Barry

Full-Disclosure is hosted and sponsored by Secunia.