[clug] Anti-Virus Software

Paul Wayper paulway at mabula.net
Sat Jun 26 20:20:44 MDT 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/22/2010 01:44 PM, Brett Worth wrote:
> Looks like I'm gunna need some AV software for my Linux systems.  Maybe I could run some
> in a VM or under Wine.  :-)
> 
> http://www.news.com.au/technology/no-anti-virus-software-no-internet-connection/story-e6frfro0-1225882656490

If it's absolutely necessary I'd install clamav on my home server.  I don't
know if I'd have to actually use it, though - that depends on the wording of
the law or contract.  Having industry-grade firewalls on my laptop and on my
router, I feel fairly confident that probe-style attacks aren't getting
through.  And running Linux and keeping it up to date, I feel fairly confident
that PDF and malicious binary attacks won't be getting through either.

I think it's good that they're finally looking at the idea of software vendors
being liable for vulnerabilities.  Because the one thing that has kept the
large proprietary software vendors releasing products with holes in them is
that they can sit on bug reports and not do anything.  They insist on
'responsible disclosure' (i.e. tell us first in secret) and then do nothing.
When the security researchers finally give up and release it publicly, the
companies attack the researchers' credibility.  Then finally they say "yeah,
well, that fix is in the new release, you'll have to install new software."
Preferably at a price.

So anything that puts financial pressure on those companies to do the right
thing first and quickly is a good thing.  I think Open Source vendors such as
Canonical and Red Hat might have a bit more liability, but since they've got a
much better security development model than the closed source vendors - and a
much better reputation - I don't think they're likely to suffer.  I doubt
anyone will be suing Debian for the same reason that no-one yet has challenged
Debian's "patented" use of OGG - i.e. there's no money in it[*].

([*] The main reason that no-one's launched a patent challenge against OGG yet
is because there isn't one.  I'm confident in asserting that the technology
for OGG is only covered by general patents - e.g. 'a method of converting
still frames to video' - and in the current patent climate in the USA
especially (Bilski et al) that's likely to get your patent invalidated and
leave you holding the other side's lawyer's bill as well.  My opinion is that
no specific patent that directly blocks Ogg Theora is owned by the MPEG
licensing group.  They obviously want to create a lot of FUD, but if there was
any facts behind their allegations they'd have fronted up to court years ago.)

While I don't think that it will dramatically change the landscape to make
software (and hardware) companies liable for their vulnerabilities, it will
put more pressure on them to be more public and quick to act.  It gives
security researchers more fangs.

Have fun,

Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwmtXwACgkQu7W0U8VsXYIgzQCZAZdWJJ4davo9GTffjwDD5Dij
/tsAn09jzdLVUfv4fEW+hRoNhSXQFb6h
=H8ra
-----END PGP SIGNATURE-----

More information about the linux mailing list