[clug] Anti-Virus Software

steve jenkin sjenkin at canb.auug.org.au
Sat Jun 26 20:37:53 MDT 2010 

Paul Wayper wrote on 27/06/10 12:20 PM:
> On 06/22/2010 01:44 PM, Brett Worth wrote:
>> Looks like I'm gunna need some AV software for my Linux systems.  Maybe I could run some
>> in a VM or under Wine.  :-)
> 
>> http://www.news.com.au/technology/no-anti-virus-software-no-internet-connection/story-e6frfro0-1225882656490
> 
> If it's absolutely necessary I'd install clamav on my home server.  I don't
> know if I'd have to actually use it, though - that depends on the wording of
> the law or contract.  Having industry-grade firewalls on my laptop and on my
> router, I feel fairly confident that probe-style attacks aren't getting
> through.  And running Linux and keeping it up to date, I feel fairly confident
> that PDF and malicious binary attacks won't be getting through either.

Most Linux desktops are closer to 'servers' than 'desktops'.

I've seen no mention (but haven't researched it) that servers have to be
secured/hardened...
Shutting down all "open relays" would go a long way to reducing SPAM.

What about the expertise of a given User/Admin?
The rules for a Dumb Schmuck User and a competent Admin should be
different [just as they are for Negligence cases with 'Experts']

> I think it's good that they're finally looking at the idea of software vendors
> being liable for vulnerabilities.  Because the one thing that has kept the
> large proprietary software vendors releasing products with holes in them is
> that they can sit on bug reports and not do anything.  They insist on
> 'responsible disclosure' (i.e. tell us first in secret) and then do nothing.
> When the security researchers finally give up and release it publicly, the
> companies attack the researchers' credibility.  Then finally they say "yeah,
> well, that fix is in the new release, you'll have to install new software."
> Preferably at a price.

Well put.

Do you think Microsoft would've been so complacent about BSOD and
security flaws for a decade if it had to pay for reasonable remedial
action for all/any users? [nope]
If they'd had to pony up for just the Melissa & "I love you"
worms/viruses, things would be vastly different now, including their
bottom line which they prize above all else.

Let's hope any laws passed don't get prescriptive, but focus on
Accountability and Outcomes.

The Trade Practices Act already has enough teeth, what's needed is the
right for ordinary folk and Class Actions against Software Vendors (i.e.
for-pay, not for-free) to sue for costs, compensation, even punitive
damages. [Consequential Damages are the 'gold standard' for consumers.]

While we're playing in Fantasy Land, I'd like ISP's and Telco's to be
held to account as well :-)

<snip>

> While I don't think that it will dramatically change the landscape to make
> software (and hardware) companies liable for their vulnerabilities, it will
> put more pressure on them to be more public and quick to act.  It gives
> security researchers more fangs.

Well said.

> 
> Have fun,
> 
> Paul

-- 
Steve Jenkin, Info Tech, Systems and Design Specialist.
0412 786 915 (+61 412 786 915)
PO Box 48, Kippax ACT 2615, AUSTRALIA

sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin

More information about the linux mailing list