I’ve tried and failed to explain this to business owners and other decision makers since early 2000s. I’ve tried showing lists of vulnerabilities in malware scanners, describing the cost of management and troubleshooting problems caused by security software and more.
In vast majority of cases customers still went with anti-virus “just in case”.
The concept of attack surface is completely foreign to so many people I don’t know how to convey the message anymore.
You’re (I assume) a technical person, trying to convince decision makers to reverse things they were convinced of by sales people. It’s not shameful that they are better at it than you; this is their element.
Who are these engineers that have the skills to write an x86 emulator to sandbox executables but not have the experience to know the security ramifications of doing it in a commercial product?
Well, it sounds like they assume anything that doesn’t change state is safe. And they’re right in theory, though the list of state changing operations is vast and seemingly unknowable.
Yeah. As taviso said, that’s true in theory but it mean the entire scanner becomes attack surface. The “pass a URL to GetFileAttributes()” thing surely isn’t the only hole that would allow exfiltration.
This is absolutely hilarious. ¯\_(ツ)_/¯
For anyone not in the loop, you can follow https://twitter.com/taviso to get these LOL reports about the modern antivirus software.
It’s been about the most entertaining account on Twitter for the last couple of months!
Aren’t you glad he’s working for Google, and not NSA?
This hurts my brain and, I guess, my pride.
I’ve tried and failed to explain this to business owners and other decision makers since early 2000s. I’ve tried showing lists of vulnerabilities in malware scanners, describing the cost of management and troubleshooting problems caused by security software and more.
In vast majority of cases customers still went with anti-virus “just in case”.
The concept of attack surface is completely foreign to so many people I don’t know how to convey the message anymore.
You’re (I assume) a technical person, trying to convince decision makers to reverse things they were convinced of by sales people. It’s not shameful that they are better at it than you; this is their element.
But risk management and related communication is my element, so I will continue to feel shameful. I’ll be in the corner.
Sorry to hear. Point taken though.
Personally, I stopped using the antivirus software years ago when I noticed just how many times faster my computer ran without it.
Who are these engineers that have the skills to write an x86 emulator to sandbox executables but not have the experience to know the security ramifications of doing it in a commercial product?
Well, it sounds like they assume anything that doesn’t change state is safe. And they’re right in theory, though the list of state changing operations is vast and seemingly unknowable.
Yeah. As taviso said, that’s true in theory but it mean the entire scanner becomes attack surface. The “pass a URL to GetFileAttributes()” thing surely isn’t the only hole that would allow exfiltration.