[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] (no subject)

To: Harlan Carvey <keydet89@xxxxxxxxx>
Subject: Re: [Full-Disclosure] (no subject)
From: Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>
Date: Fri, 13 Aug 2004 11:16:47 -0400

Harlan Carvey wrote:

Barry,

One other thing I'd like to throw into the mix. This whole discussion is being viewed, it seems to me from the wrong perspective. The attitude that the entire A/V industry should have a common naming convention seems to be coming from the open source camp...while A/V companies aren't necessarily open source. Companies in general are about making money, and you do that through establishing and maintaining competitive advantages. Expending resources (ie, people, money, time, etc) on an endeavor to establish and maintain a common naming scheme is an expenditure that has very little (if any) ROI...it can't be justified to investors.

Agreed in general - though I'm not sure if it's an "open source" issue specifically... I've known many Free Software/Open Source people who are opposed to being held to standards bodies and "closed source" people who are absolutely sticky about adherance to standards. Both perspectives have their downsides. Nonetheless, that's a nitpicking issue -- your primary point is absolutely correct: You can't enforce it; They don't want to do it (and I'm inclined to think they probably shouldn't want to do it -- it's sort of like telling someone that they have to name their kid a certain way so that others can pronounce their name); the problem must be solved some other way.

How are A/V companies competitive? They identify and analyze malware, and update their products. Doing it faster and better than the next guy is the key. Slowing that process down to coordinate with other companies dissolves the advantage. Let's say I discover a piece of malware, and call a round table meeting...only to find out that none of the other members have discovered the malware yet. My advantage goes bye-bye.

I think that the problem is being looked at as an industry policing issue when it's really an informational issue.

By this I mean that the issue is in how the information on said malware is distributed and "digested" by the masses. If there were a central information repository to go to for all of the advisories and for a combined write-up, it'd reduce some of the confusion.

It wouldn't cost the AV vendors a thing because it would be a seperate organization. The trick would be funding. Starting a small site is one thing, but a site of this magnitude would have to be funded somehow. Ad revenue probably wouldn't be enough for the bandwidth/equipment/man-hours to put something like this together...

-Barry


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] (no subject)
  - From: Harlan Carvey

Prev by Date: RE: [Full-Disclosure] SP2 and NMAP
Next by Date: RE: [Full-Disclosure] lame bitching about xpsp2
Previous by thread: Re: [Full-Disclosure] (no subject)
Next by thread: Re: [Full-Disclosure] (no subject)
Index(es):
- Date
- Thread