[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] AV Naming Convention

Frank Knobbe to Glenn Everhart:

> > Given the time allowed to do this work, it seems a cross reference after
> > the fact is probably the best one can hope for.
> 
> Perhaps they could elect one person (of each AV shop) to be a naming
> mediator between the organizations.  ...

Pick me, please -- I just love being woken up at 3:42am because folk in 
Russia are working a new virus I already saw hours ago and we now have 
to agree on a name...

That's right -- we don't all work for companies based in the same 
continent, let all work in the same place as all the other folk doing 
analysis for our own companies.

> ...  Competition is still ensured...
> after all, everyone wants to get it out first. Here's another incentive.

Do you work in marketing?  If not, please get that stupid idea out of 
your head (if you do work in marketing then I assume you are 
genetically unable to think sensibly about the following).  

Most of antivirus researchers do _NOT_ work that way, regardless of who 
their employers are (and formerly, when a few such employers were dumb 
enough to try to use gag-clauses in their employment contracts these 
were often ignored anyway).  

> First one out to propose a new virus/strain can give it a name. All
> prominent AV shops could, to help industry and consumers (marketing
> opportunity here), come to an agreement that governs how names are
> standardized. First representative of an AV shop that raises the hand
> says "We got a new one! Can't give details of course since you are a
> competitor. But if you find the same thing in your research, let's call
> it Humptydumpty-2."

Pray tell, how are "name proposers" to convey to their peers which 
virus they have just found?  You say that they should not give details 
of the virus, yet as (part of) the naming problem is that there is no 
natural and unique naming method, simply knowing that another 
researcher called some virus "FooBar" gives one _NO_ insight into 
whether the new virus they are now looking at is a sample of FooBar.

Oh, and the competition thing -- that's not how things work.  The AV 
industry is a great deal better for having driven the John McAfees out 
all those years ago, along with the divisive and damaging (both to the 
customer and the industry) "sample competitiion" folk like him had been 
encouraging.  If you really are an AV user, you'd be about the only one 
who is apparently keen to return to those "bad old days".

> Whoever finds the virus first has first choice on the name. No sharing
> of information required, just agreement on a name.

That is what we have now, which I thought was seen as a problem...

Also, how does some other researcher know that FooBar and the new virus 
they've just been handed to analyse and add to their employer's product 
is, or is not, one and the same thing?

You seem to be forgetting that a name is just a label and, alone, 
imparts no identity information.

> Is that so hard?

Well, it would be if anyone was daft enough to try to do it as you 
describe...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html