The problem is that we're still dealing with something that is pretty much anecdote - I don't disagree that it improved the security profile of a lot of networks, but I have no way to speak about it quantitatively. I can talk about such things qualitatively, but but it's still in the domain of anecdote. I'd be more comfortable with that except we've been speaking in anecdote for almost forty years, and the problem is that we don't really know if anything works besides these epic megafixes.
On Sep 29, 2009, at 11:00 AM, Dan Kaminsky wrote: > "Any" security measure is a bit much. The collection of fixes that > went alongside XPSP2 was pretty epic (firewall by default, massacre of > SMB's anonymous surface, windows update) and almost entirely killed > worms -- and their company-wide-compromises -- quantifiably. > > On Tue, Sep 29, 2009 at 4:15 PM, Michael Collins > <[email protected]> wrote: >> I've done some cursory searching, and I'm in the midst of a deeper >> lit >> review right now, but all signs point to there nit being empirical >> evidence for the effectiveness of any security measure. I'll say >> more >> when I've read more >> >> Sent from my iPhone >> >> On Sep 28, 2009, at 3:50 PM, Nick FitzGerald <n...@virus- >> l.demon.co.uk> wrote: >> >>> [email protected] to Dan Kaminsky: >>> >>>>> Is there a source of data showing 10,000 machines with AV are less >>>>> likely to be infected than 10,000 machines without? >>>> >>>> I'm sure there is, ... >>> >>> I'm not so sure there is -- in fact, I'm fairly sure there is no >>> such >>> study. >>> >>>> ... but I would have to say that machine platform >>>> would play a major factor for infection along with user. >>> >>> If you treat "infction" as a purely binary state, then maybe not so >>> much... >>> >>> If you count each instance of "different" malware per machine, then >>> probably so... >>> >>>> If we're talking 10,000 windows home users without A/V, VS. 10,000 >>>> Windows home users with AV, I'd say for certain that those without >>>> are more likely to become infected. Would be interesting to see a >>>> formal study on this though.... >>> >>> As I said, the results are much less certain depending on how you >>> define "infected". >>> >>>> For *nix platforms there is a greater chance of having a file that >>>> is infected stored on it waiting for a vulnerable box to grab it >>>> and >>>> run it than the *nix box itself getting infected. >>> >>> But if we add "owned" to the things we count as "infected"... >>> >>> >>> >>> Regards, >>> >>> Nick FitzGerald >>> >>> >>> _______________________________________________ >>> Fun and Misc security discussion for OT posts. >>> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >>> Note: funsec is a public and open mailing list. >> _______________________________________________ >> Fun and Misc security discussion for OT posts. >> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >> Note: funsec is a public and open mailing list. >> _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
