[ISN] Message To Antivirus Industry: Only The Truth Shall Set You Free

From: InfoSec News (isnat_private)
Date: Mon Feb 18 2002 - 22:49:58 PST

  • Next message: InfoSec News: "[ISN] Study says not all hackers are real computer wizards"

    Forwarded from: "Junkmail Rosenberger" <junkmailat_private>
    [This is a parody of a recent op-ed by Richard Forno (Infowarrior.org)
    that appeared here on ISN. The parody is directed at the antivirus
    industry, not Forno.]
    Message To Antivirus Industry: Only The Truth Shall Set You Free
    News flash! Judge Kollar-Kotelly has granted the states access to
    antivirus software source code as part of this phase of the anti-trust
    ruling. Of course, the antivirus giant is against this action, and we
    can only hope her decision stands.
    If so, not only will this level the legal playing field in the case,
    as Kollar-Kotelly says (by allowing the states to verify the antivirus
    industry's claims about its products) but more importantly, allow IT
    professionals to see exactly how secure (or insecure) antivirus
    software really is, something that many security professionals have
    been calling for a long time as the ONLY true way to verify and
    validate the antivirus industry's claims about the stability,
    security, and reliability of its pervasive antivirus systems. In the
    industry's defense, releasing the code will go a long way in
    curtailing the growing negative press and public sentiment about their
    firms and their products, and could be an action that actually
    generates business for them over the long-term.
    Considering that nobody outside of the antivirus industry knows what
    evil lurks in the millions of lines of code compromising antivirus
    software, by granting external access to source, Kollar-Kotelly has
    established the basis for what some would call the "ultimate
    vulnerability disclosure" -- namely, finally discovering the truth
    about an antivirus product's features, both documented and
    undocumented, that are the scourge of the IT world yet the subject of
    oddly few IT-security news stories over the past five years.
    This is a long-overdue action, and I pray the decision stands.
    (Actually, one could argue that this is the penultimate example of
    what "responsible vulnerability disclosure" is all about...)
    Releasing antivirus source code to the states (parties outside of the
    industry with (hopefully) non-profit interests in justice and not
    market dominance) would be one government-initiated action that
    actually improves the security and assurance of America's critical
    infrastructures and (by extension) the world's IT sector. This would
    be a real, tangible, action that actually increases security, unlike
    the FAA prohibitions on carrying Swiss knives, knitting needles, or
    razors onboard a civil airliner.
    As such, given that antivirus software protects some pretty
    significant, critical systems in our financial, utilities, medical,
    and defense sectors, releasing the source code for external evaluation
    is not just a 'nice-to-have' but a MUST-HAVE as we move towards
    effectively increasing the security of America's critical
    infrastructures ... for the antivirus industry, it's the responsible
    thing to do, given their much-ballyhooed 'focus' on security.
    If the industry is truly committed to paying product security anything
    more than PR lip-service (which many security professionals believe is
    all they are doing,) they will embrace Kollar-Kotelly's decision as a
    significant step in improving the security of -- and the public's
    trust in -- their companies and their products. By releasing the
    antivirus source code, the industry can prove to the world it has
    nothing to hide and that it can be trusted as a purveyor of
    mission-critical software. This likely would lead to a restored public
    image and confidence in their companies, quite possibly leading to
    increased business and sales. So it's a win-win for the antivirus
    industry, assuming it ever gets over its corporate hubris and realizes
    the potential long-term benefits it could reap by simply and
    accurately complying with court orders.
    From a business perspective, the antivirus industry would be wise to
    do the mature thing -- quietly take its court-ordered medicine
    (ignoring how bad it might taste in the short-term) and realize that
    it stands a good chance of getting much better in the long-term.
    Thank you, Judge Kollar-Kotelly, for taking a pro-consumer and
    pro-security position with your ruling, one that -- assuming it stands
    and is correctly acted upon in the best interests of the country --
    will be one of the few government actions actually (and effectively)
    improving the security of America's critical infrastructures.
    It would be a public service on an unprecedented scale.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 02:52:41 PST