Service to human race or fame seeking selfishness?

[Guest]

[gibran]

As I've mentioned, you're getting confused between a vendor not being eligible to receive samples because the tester feels that the samples are his own private property (they're not), and because the tester feels that he's not an employee for that vendor who collects samples for them due to their own inability to do so. If you believe your misconception is actually true, can you explain to us why testers would hand over their "private property" simply based on how much of it vendors can detect? It makes no sense at all.

Again I ask to you If you know about a specific AV tester who does this and describe his selection criterias  and the minimal requirements testing procedures that could be possibly used to restrict sample sharing I will gladly add it to my favourites. I still would like to know if there is an AV tester that thoroughfully disclose his/her selection criteria and minimum requirement testing methodology to let everyone understand the restriction imposed on malware sharing and let everyone decide if or if not such restrictions are discriminatory.

Not entirely, no. But it does tell the tester which vendors are simply trying to leech samples off him.

With all possible imaginable selection criterias I see you are eager to call me confused, neglect IMHO important aspects as misconceptions and simply state that.
I see you carefully evading to try to describe a non discriminatory selection criteria leaving to the readers the effort to verify if any tester or vendor do use your suggested criterias.

That is actually the case that happens with most competent vendors, yes. One of the metrics of a good product happens to be the ability to protect its users from malware before said users run into said malware. It doesn't matter if a product can add and release detection within minutes after receiving user submisssions. If it consistently detects only a poor percentage of malware before that, it's still a bad product. Aside from some dedicated volunteers, user submitted samples among good products are typically insignificant compared to the number the vendor itself gathers from other sources.

How reassuring, but you completely omitted to state how much such irrelevant contribution amounts.

But as I said above, not that this is of much relevance to the tester. The tester is simply interested in ensuring that vendors have their own means of collecting samples other than leeching off him. Which I think is quite a valid concern.

IMHO an overstated concern at least from you presentation. It still comes to mind the simple truth that pharmaceutical companies compete on research and development and not on sample (biological virus) disclosure. I don't see any physician thinking in terms of 'leeching' either.

Assuming a competent vendor, this isn't an issue at all, since the vendor in question (Comodo) is older by far than most of the samples used in most reputable tests. Assuming an incompetent vendor, I think the incompetence is the issue here instead of the age and timeframe of availability of the samples.
In an age where zero-day protection is strived for, I think that the inability to obtain the sample after more than a week - let alone to add and release detection - should be the exception rather than the rule. And if a vendor seems to have a tendency to exhibit this failure not just on the rare occasion, but repeatedly over an extended period of time, I think that's a fairly good indicator of untrustworthiness and/or bad infrastructure on their part. Don't you?

IMHO brands who got more partnerships gain an advantage. Nowhere I read an extimate how much great this advantage will be. Besides the entire system looks autoreferential to me expecially considering your whole presentation.

Your logic would make sense if it was the sales department and management that regulated the sharing of samples and signed the relevant contracts. Sample sharing among researchers (whether they work for vendors or are independent) is often done unofficially, often with no commercial gain for themselves and no specifically dedicated infrastructure set up to facilitate this exchange. Simply because this link is off the top of my head, ESET's ThreatBlog provides a brief glimpse of the nature of this sharing: http://www.eset.com/threat-center/blog/?p=158

Yep it looks private agreements again. I'm interested to read a thorough description of such vetting procedures. I will refrain to post additional considerations and invite everyone to read that "Ethical considerations" part.

But let's assume it's a commercial exchange for now. If this was so, then Comodo's position becomes even easier, as they can simply walk in and ask to buy from others without being hindered by their reputation.
It is irrelevant in this case because Comodo already have the samples delivered right to them. All they need to do is process the samples. Again, this is to prove the point that the popular misconception that vendor has sample = nothing else matters is false.

I don't remember stating so. I do remembers stating that having a sample it is only the first step to research and build an appropriate countermeasure being it an a AV signature that only work on a specific patented AV engine, a removal application, a patented heuristic detection engine or a patented HIPS technology.

I'm simply explaining the status quo because you've provided no solid arguments that things should be any different. "Disclosure" practises? Once again, you make it sound as though a select few entities control who gets which samples. It's simply not possible to exert such control over the industry, when even amateurs like myself have no problems with collecting more malware than I can handle. And until you can stop making this fallacy the crux of your arguments, I don't think we'll get anywhere, simply because we're spending all our time just trying to get you to base your points on facts instead of popular myth.

I feel the explanation extremely lacking. Indeed you provided some explanation but you missed the whole point.

Once again  IMHO the whole point is still  if sample sharing should be regulated by private agreements whereas biological viruses are treated in a different way for obvious reasons.

I still wonder what people would think if a pharmaceutical company could prevented to "leech" a virus/ bacteria sample to research and develop a new vaccine because it has to prove, for example, how many other vaccines it has already developed (and what would be the minimum number of developed vaccines required).

What is an established practice in the current AV ecosystem compared to the biological counterpart and furthermore your explanations confirmed my concern that computer viruses are treated as a second rate threat whereas their biological siblings evoke totally different considerations.

[John Buchanan]

Please, this isn't going to turn ugly, is it?

[gibran]

Please, this isn't going to turn ugly, is it?

If you deem I offended solcroft in any way please send me a PM and let me know more about it. I will try my best to cope with your concerns.

I 'm sorry about any misbehavior on my part.

[John Buchanan]

I do not think you have offended him, Gibran.  I am just thinking of the previous discussion with Solcroft that led to a 'battering' if you will against this person. 
I enjoy a great debate/conversation as much as reading the discussion between you two.  It is very informative (thank you). I feel humbled by the depth and length of your debate.
No disrespect was intended if that is how you took this.
I am simply making a comment. 
I look forward to reading further your discussions.

[solcroft]

Again I ask to you If you know about a specific AV tester who does this and describe his selection criterias  and the minimal requirements testing procedures that could be possibly used to restrict sample sharing.

AV-Comparatives provides a methodology listing of its procedures on its website, specifically here: http://www.av-comparatives.org/seiten/ergebnisse/methodology.pdf

AV-C and AV-Test are the only tests whose results I personally consider to be reliable right now, other than my own, of course. Unfortunately, Andreas Marx of AV-Test doesn't seem to make his organization's test methodology readily available, but from what I've seen he does respond to email queries from the public. Perhaps you could contact him and find out?

With all possible imaginable selection criterias I see you are eager to call me confused, neglect IMHO important aspects as misconceptions and simply state that.
I see you carefully evading to try to describe a non discriminatory selection criteria leaving to the readers the effort to verify if any tester or vendor does meet your suggested criterias.

I believe you're confused simply because you cannot seem to recognize the fact that testers not sharing samples doesn't necessarily mean they believe their samples are "private property" that belong to them. I was a participant in an online conversion with IBK of AV-C some time ago, where we were told in response to a question that the criterias were set in place to prevent indiscriminate sharing of samples with non-trustworthy vendors. Even though the exact percentage to qualify to receive samples from AV-C doesn't seem to be publicly available anymore, I've seen no reason so far to doubt IBK's claim, as his methodology appears to be in line with his stated aims.

Of course, I may be wrong, and you know perfectly well what you're talking about. But so far I've seen no evidence to back up your claims, either from you or anyone else. If you have proof that testers actually deliberately discriminate against vendors they don't like and deliberately withhold samples from them even though they meet the minimum criteria, please do share.

IMHO an overstated concern at least from you presentation. It still comes to mind the simple truth that pharmaceutical companies compete on research and development and not on sample (biological virus) disclosure. I don't see any physician thinking in terms of 'leeching' either.

I'm not a biologist, and luckily for me this thread concerns computer viruses and not biological ones. To return to the topic at hand: in what way exactly do you believe that a tester not wanting to become a collector for vendors who don't have their own facilities is an unreasonable concern?

I can offer a few educated guesses to your question, though. Pharmaceutical companies require to be approved by the government. I don't imagine that there would be problems sharing biological virus samples among the pharmaceutical industry, as one is assured that everyone is certified to government and/or international standards. Not so with the antivirus industry. If it wants to maintain a semblance of professionalism and integrity, self-regulating standards are necessary, especially for an industry based so heavily on trust.

IMHO brands who got more partnerships gain an advantage. Nowhere I read an extimate how much great this advantage will be. Besides the entire system looks autoreferential to me expecially considering your whole presentation.

There is an advantage, yes. But last I checked testers do not demand perfect performance from vendors before sharing samples with them. There would be nothing to share anyway, if that were the case. There is simply a minimum baseline to be achieved. I think that the ability to obtain samples within one week is a very reasonable minimum baseline indeed, given that the aim should be zero-day protection and one week leaves a VERY big margin of error. Too big in my opinion, in fact.

Yep it looks private agreements again. I'm interested to read a thorough description of such vetting procedures. I will refrain to post additional considerations and invite everyone to read that "Ethical considerations" part.

What private agreements, exactly? You display a disturbing consistency of NOT providing any explanations at all - let alone evidence - behind your repeated insinuations.

I don't remember stating so. I do remembers stating that having a sample it is only the first step to research and build an appropriate countermeasure being it an a AV signature that only work on a specific patented AV engine, a removal application, a patented heuristic detection engine or a patented HIPS technology.

"Eg using a minimum detection rate as a selection criteria means that the sampleset composition only evaluate malware gathering abilities..."

- http://forums.comodo.com/melihs_corner_ceo_talkdiscussionsblog/service_to_human_race_or_fame_seeking_selfishness-t27113.0.html;msg209363#msg209363

Does that refresh your memory?

I feel the explanation extremely lacking. Indeed you provided some explanation but you missed the whole point.

I realize you were looking for an explanation of why sample sharing should be regulated by private agreements, but a little reading of what I've said will reveal to you that my explanation was that there is no such thing "regulations" and "private agreements". They have no way of regulating or restricting me as an amateur, and they have no way of doing the same to large international corporations in the industry. Samples are available regardless of whether testers want to share them. They can and will be obtained if one wants to do so, and there is nothing anyone can do about it short of banning the internet. Again, until you can stop using this fallacy as the crux of your arguments, we'll simply go around in circles.

[gibran]

AV-Comparatives provides a methodology listing of its procedures on its website, specifically here: http://www.av-comparatives.org/seiten/ergebnisse/methodology.pdf

AV-C and AV-Test are the only tests whose results I personally consider to be reliable right now, other than my own, of course. Unfortunately, Andreas Marx of AV-Test doesn't seem to make his organization's test methodology readily available, but from what I've seen he does respond to email queries from the public.

I read that paper (august 2008 revision dated 15/09/2008) and found it difficult to understand.

Is detection rate used as a selection criteria  to deem a vendor eligible to possibly receive samples?
If so can you explain what sampleset it is used in that case?

The full one?
The one who includes only malware not older than one year?

Does that paper explicitely state what is the minumum detection criteria?

I believe you're confused simply because you cannot seem to recognize the fact that testers not sharing samples doesn't necessarily mean they believe their samples are "private property" that belong to them.

I see. In that regard I'm surely confused. Even though it doesn't necessarily mean that, I feel concerned in that regard and I believe such aspects should be thoroughfully and publicly documented. Sure it will not be something diffiult to do.

I was a participant in an online conversion with IBK of AV-C some time ago, where we were told in response to a question that the criterias were set in place to prevent indiscriminate sharing of samples with non-trustworthy vendors. Even though the exact percentage to qualify to receive samples from AV-C doesn't seem to be publicly available anymore, I've seen no reason so far to doubt IBK's claim, as his methodology appears to be in line with his stated aims.

Then you surely asked what sampleset is used for that type of vetting procedure.

Still I would like to know what you consider a non discriminatory selection criteria leaving to the readers the effort to verify if any tester or vendor do use your suggested criteria.

Of course, I may be wrong, and you know perfectly well what you're talking about. But so far I've seen no evidence to back up your claims, either from you or anyone else. If you have proof that testers actually deliberately discriminate against vendors they don't like and deliberately withhold samples from them even though they meet the minimum criteria, please do share.

Do I have a possible way to verify that? Does this mean any AV tester who could possibly deny sample disclosure provide a way to verify eligibility criteria?
Eg in case a detection rate test is used would it be reasonable to assume that a list of CRC hashes of missed samples would be provided?
This would at least allow a rejected vendor to know if they possibly were able to gather an undetected sample at a later time.

EDIT: I just noticed that the above quote regarded deliberately discriminatory criteria. This does not mean I endorse that description and I wish to make my excuses for carelessy replying  to that without explicitly clarifying this point. I also feel the term "subjective", "biased" or "flawed" to be a fitting substitute for all the times I borrowed the term "discriminatory" in my replies.

I'm not a biologist, so I must admit I do not know enough to hold a debate in that area. Fortunately, however, this thread concerns computer viruses and not biological ones. To return to the topic at hand: in what way exactly do you believe that a tester not wanting to become a collector for vendors who don't have their own facilities is an unreasonable concern?

IMHO tester should be concerned how to carry her/his test correctly. The mere fact an AV tester can use a rare sample to test any AV is not relevant too provided they follow their publicly available methodology.  I'm sure we will likely unable to agree on which can be or cannot be inferred by such tests in the context of the stated methodology.
This is not enough IMHO to neglect as irrelevant the difference with pharmaceutical companies. You can feel free to do so though.

Although I will wonder if you think that a pharmaceutical company could be legitimately prevented to gather a sample to develop a vaccine and if such case could be considered 'leeching'.

There is an advantage, yes. But last I checked testers do not demand perfect performance from vendors before sharing samples with them. There would be nothing to share anyway, if that were the case. There is simply a minimum baseline to be achieved.

I'm more likely to guess that vendors with many partnerships, well established marketshare and who possibly started to develop their AV more than five years ago maybe will have almost nothing to get from a whatsoever AV tester. I guess the a tester could possibly 'leech' some samples instead. I would be surely interested to read any documentation about these aspects.

I think that the ability to obtain samples within one week is a very reasonable minimum baseline indeed, given that the aim should be zero-day protection and one week leaves a VERY big margin of error. But it appears that you don't agree. How much of a margin do you think would be acceptable, then? One month? Six?

I used one week as example in first instance, though I wondered if it was reasonable. Thanks for providing such answer. This partly solve the nowhere-to-be found paradox you previously described and provide reader a more specific context to a previous reply of mine.
I don't have any specific expectation and I would be more inclined to consider reasonable the average result of specific tests designed to measure that in a representative sample of AV brands.
Provided that the bias caused by cross-vendor sharing partnerships would be removed. Even though I'm interested to know if such tests are available.

What private agreements, exactly? You display a disturbing consistency of NOT providing any explanations at all - let alone evidence - behind your repeated insinuations.

Oh my! Is private agreement an insinuation? The private nature of an agreement doesn't surely mean that such agreement will not publicly announced. Anyway IMHO I guess Public utility may be a better alternative to the current AV ecosystem and I hope no one will consider that disturbing.

"Eg using a minimum detection rate as a selection criteria means that the sampleset composition only evaluate malware gathering abilities..."

- http://forums.comodo.com/melihs_corner_ceo_talkdiscussionsblog/service_to_human_race_or_fame_seeking_selfishness-t27113.0.html;msg209363#msg209363

Does that refresh your memory?

As I stated that having a sample it is only the first step to research and build an appropriate countermeasure being it an a AV signature that only work on a specific patented AV engine, a removal application, a patented heuristic detection engine or a patented HIPS technology in my first reply to your post I still wonder how could you infer this

Again, this is to prove the point that the popular misconception that vendor has sample = nothing else matters is false.

using that refreshing reference posted way later than my first reply.

I realize you were looking for an explanation of why sample sharing should be regulated by private agreements, but a little reading of what I've said will reveal to you that my explanation was that there is no such thing "regulations" and "private agreements".

What does specific circumstances under tightly-controlled conditions with vetted individuals mean?
Yes there is no regulation like for Public Utilities.
Sharing is currently carried on a per case basis with individual agreements between private parties.

They have no way of regulating or restricting me as an amateur, and they have no way of doing the same to large international corporations in the industry. Samples can and will be obtained if one wants to do so, and there is nothing anyone can do about it short of banning the internet. Again, until you can stop using this fallacy as the crux of your arguments, we'll simply go around in circles.

Yes everyone can privately gather maleware samples. They can also privately choose to share them or not.

I guess everyone could read all your rearmks and then decide whenever my viewpoint was based on a fallacy or not. I did not assume you considered it otherwise and I thank you for your efforts to describe your viewpoint.

[solcroft]

Is detection rate used as a selection criteria  to deem a vendor eligible to possibly receive samples?

Keep in mind that my answers here are based on how I personally understand them to be, and do not necessarily reflect what really happens at AV-C (i.e. I may be mistaken):

Detection rate is used as a selection criteria to determine which vendors can participate in the test. Since the participants will receive the samples their product misses during testing, by extension it can be said that detection rate is also a criteria used to determine which vendor receives samples.

If so can you explain what sampleset it is used in that case?

Does that paper explicitely state what is the minumum detection criteria?

No to both questions, unfortunately. The distinction between Set A and Set B was introduced only in the last comparatives (results released last month) and was not present in any comparatives before that. For the second question, if memory serves me correctly, the threshold is 80%. This seems to have been changed, though, as it is no longer mentioned in the methodology report.

Even though it doesn't necessarily mean that, I feel concerned in that regard and I believe such aspects should be thoroughfully and publicly documented.

Most of it is publicly documented. For the missing details that you deem to be important, I suggest it would be prudent to verify them by contacting the testers in question, before subscribing wholesale to Melih's one-sided propaganda.

Still I would like to know what you consider a non discriminatory selection criteria leaving to the readers the effort to verify if any tester or vendor do use your suggested criteria.

I personally feel there's nothing discriminatory about the current practises. Do you feel that there are any aspects that are biased?

Can I have a possible way to verify that? Does this mean any AV tester who could possibly deny sample disclosure provide a way to verify eligibility criteria?
Eg in case a detection rate test is used would it be reasonable to assume that a list of CRC hashes of missed samples would be provided?

Unfortunately the burden falls upon the maker of the claim (i.e. you) to prove that. If you have no way to conclusively demonstrate that your claims are true and that testers deliberately deny vendors entry even through the minimum standards are reached, then I'm afraid that's that.

IMHO tester should be concerned how to carry her/his test correctly.

Unless you're trying to insinuate that they don't, your little snippet is quite irrelevant to the discussion at hand.

I will wonder if you think that a pharmaceutical company could be legitimately prevented to gather a sample to develop a vaccine though and if such case could be considered 'leeching' for sure.

Let's assume that, like antivirus vendors, pharmeceutical companies aren't subject to government certification and are not assured to adhere to a certain standard of ethics and professionalism. A company with a poor standing and reputation demands supplies of anthrax and ebola from other companies with established track records. Would you approve of the fact that lethal toxins are being handed out in broad daylight to anyone that demands them, without any form of control whatsoever? Would you support your lawmakers if they pushed for such legislation?

I think it'd be insane, and I'd start to seriously consider applying for citizenship in another country far far away. But to each his own.

I'm more likely to guess that vendors with many partnerships, well established marketshare and who possibly started to develop their AV more than five years ago maybe will have almost nothing to get from a whatsoever AV tester. I guess the a tester could possibly 'leech' some samples instead.

While that happens as well, even the best-scoring vendors typically miss ~10k samples if you observe the numbers in the results. But as I said previously, it's a two-way process; vendors receive samples from testers, and vice versa.

Oh my! Is private agreement an insinuation? The private nature of an agreement doesn't surely mean that such agreement will not publicly announced.

If you are willing to clarify what YOU mean about "private agreement", then we could inspect whether you're trying to insinuate. There's a lot of things that could be inferred from your use of the term. For example, people might believe that beneath-the-table commercial profits or personal gain are involved, as Melih tries to imply.

As I stated that having a sample it is only the first step to ... I still wonder how could you infer this

It's not really a big wonder when you said those words yourself. But if we can agree that that's a faulty viewpoint, then there shouldn't be any further issues.

What does specific circumstances under tightly-controlled conditions with vetted individuals mean?

Perhaps it means exactly what it says. The vendor providing the samples (ESET in this case) wishes to verify that the samples will be carefully and professionally handled, and that the receiving party is of trustworthiness and integrity, before agreeing to share samples. I think those conditions are both fair and necessary. Don't you?

I wish to clarify that there are no regulations and private agreements on who can possess which samples. While a tester, vendor, or an organization can choose to not share samples with another party not within their circle of trust, they are absolutely powerless to prevent that party from obtaining those samples via other means, of which there are many.

Yes everyone can privately gather maleware samples. They can also privately choose to share them or not.

Exactly. Everyone can gather malware samples. There are no restrictions or agreements or what-have-you preventing anyone from gathering malware. It therefore strikes me as odd that Melih seems to be trying to portray Comodo as being at the mercy of testing organizations; I certainly hope it isn't.

[gibran]

Keep in mind that my answers here are based on how I personally understand them to be, and do not necessarily reflect what really happens at AV-C (i.e. I may be mistaken):

Detection rate is used as a selection criteria to determine which vendors can participate in the test. Since the participants will receive the samples their product misses during testing, by extension it can be said that detection rate is also a criteria used to determine which vendor receives samples.
No to both questions, unfortunately. The distinction between Set A and Set B was introduced only in the last comparatives (results released last month) and was not present in any comparatives before that. For the second question, if memory serves me correctly, the threshold is 80%. This seems to have been changed, though, as it is no longer mentioned in the methodology report.
Most of it is publicly documented. For the missing details that you deem to be important, I suggest it would be prudent to verify them by contacting the testers in question,

I asked if there is an AV tester that thoroughfully disclose his/her selection criteria and minimum requirement testing methodology to let everyone understand the restriction imposed on malware sharing and let everyone decide if or if not such restrictions are discriminatory. Let's leave it at that. This topic doesn't pertain a specific tester either.

It's not really a big wonder when you said those words yourself. But if we can agree that that's a faulty viewpoint, then there shouldn't be any further issues.
Perhaps it means exactly what it says. The vendor providing the samples (ESET in this case) wishes to verify that the samples will be carefully and professionally handled, and that the receiving party is of trustworthiness and integrity, before agreeing to share samples. I think those conditions are both fair and necessary. Don't you?

I have to trust that. Anyway that is what I call an agreement between private parties.
On the other hand I would have preferred to read about ESET vetting procedures and related vetting methodologies.

If you are willing to clarify what YOU mean about "private agreement", then we could inspect whether you're trying to insinuate. There's a lot of things that could be inferred from your use of the term. For example, people might believe that beneath-the-table commercial profits or personal gain are involved

It is funny to challenge a misintepreted statement with an insinuation but I guess if "individual agreement between private parties" at the end of my previous reply do not clarify this point, people will read your claim and agree with it.

I personally feel there's nothing discriminatory about the current practises. Do you feel that there are any aspects that are biased?

I'm still concerned. Besides the whole point IMHO is still if sample sharing should be regulated by agreements between private parties whereas biological viruses are treated in a different way for obvious reasons.

Unfortunately the burden falls upon the maker of the claim (i.e. you) to prove that. If you have no way to conclusively demonstrate that your claims are true and that testers deliberately deny vendors entry even through the minimum standards are reached, then I'm afraid that's that.

EDIT: I just noticed I carelessy replied to the above statement. This does not mean I endorse that description and I wish to make my excuses for not explicitly clarifying this point.

I beg to differ. Like methodologies are published and thoroughfully documented so should be vetting procedures.

To be more precise I guess I should state that I was not able to find a public and thorough description of such vetting procedures.

Once a methodology is published it is also possible to know how the end result (the test or vetting procedure) should be regarded.
This is the reason methodological paper are released along tests.

Like mine my concerns about possibly flawed vetting criteria IMHO your statement about a direct relation about simple tests and 'leeching' or trustworthiness is a claim speculation. It should be obvious with all that we both posted that anyone could get an idea about mine and your statements and decide by themselves.

Let's assume that, like antivirus vendors, pharmeceutical companies aren't subject to government certification and are not assured to adhere to a certain standard of ethics and professionalism. A company with a poor standing and reputation demands supplies of anthrax and ebola from other companies with established track records. Would you approve of the fact that lethal toxins are being handed out in broad daylight to anyone that demands them, without any form of control whatsoever? Would you support your lawmakers if they pushed for such legislation?
I think it'd be insane, and I'd start to seriously consider applying for citizenship in another country far far away. But to each his own.

Thanks for the clarification. I would have expected you to cite a minimal number of developed vaccines as a proof of that company standing. My mistake.

While that happens as well, even the best-scoring vendors typically miss ~10k samples if you observe the numbers in the results. But as I said previously, it's a two-way process; vendors receive samples from testers, and vice versa.

Thanks for the clarification. This info is unsettling for me anyway there is nothing more I could add in that regard without triggering a recursive endless discussion.

I wish to clarify that there are no regulations and private agreements on who can possess which samples. While a tester, vendor, or an organization can choose to not share samples with another party not within their circle of trust, they are absolutely powerless to prevent that party from obtaining those samples via other means, of which there are many.
Exactly. Everyone can gather malware samples. There are no restrictions or agreements or what-have-you preventing anyone from gathering malware.

Provided that PGP "Web of Trust" is a self referential verification mechanism I have to guess  that what you meant with circle of trust doesn't imply that.

Anyway I prefer more an approach like Public Utilities as malware fighting IMHO should be regarded as a public service this is why I quoted

Every year, the World Health Organization predicts which strains of the virus are most likely to be circulating in the next year, allowing pharmaceutical companies to develop vaccines that will provide the best immunity against these strains.

so many times.

[gibran]

Of course, I may be wrong, and you know perfectly well what you're talking about. But so far I've seen no evidence to back up your claims, either from you or anyone else. If you have proof that testers actually deliberately discriminate against vendors they don't like and deliberately withhold samples from them even though they meet the minimum criteria, please do share.

I just noticed that a quote I replied in one of my previous posts regarded deliberately discriminatory criteria. This does not mean I endorse that description and I wish to make my excuses for carelessy replying  to that without explicitly clarifying this point. I also feel the term "subjective", "biased" or "flawed" to be a fitting substitute for all the times I borrowed the term "discriminatory" in my replies.

Unfortunately the burden falls upon the maker of the claim (i.e. you) to prove that. If you have no way to conclusively demonstrate that your claims are true and that testers deliberately deny vendors entry even through the minimum standards are reached, then I'm afraid that's that.

I just noticed I carelessy replied to the above quote. This does not mean I endorse that description and I wish to make my excuses for carelessy replying  to that without explicitly clarifying this point.

[solcroft]

I have to trust that. Anyway that is what I call an agreement between private parties.
On the other hand I would have preferred to read about ESET vetting procedures and related vetting methodologies.

I like to think that it's a dynamic procedure in most cases. Elements of human judgment are invariably involved when we try to decide if other people are trustworthy. Complete reliance on a specific list of outlined steps and check boxes to tick off would on the other hand sound to me like an exceedingly flawed method to achieve this.

I'm still concerned.

Of course you are. But that wasn't my question. What gives you cause for this concern, exactly?

Besides the whole point IMHO is still if sample sharing should be regulated by agreements between private parties whereas biological viruses are treated in a different way for obvious reasons.

I do not know if sharing of biological viruses are bound by private agreements or not, so I cannot challenge you on that claim. Nonetheless, I would imagine it must be bound by regulations, in some form or other, in any civilized country. Those regulations might be private, public, and/or government-enforced via legislation. I believe you are very much mistaken in your claim that trade of biological viruses are unrestricted – at least, I hope you are.

Once a methodology is published it is also possible to know how the end result (the test or vetting procedure) should be regarded.
This is the reason methodological paper are released along tests.

Like mine my concerns about possibly flawed vetting criteria IMHO your statement about a direct relation about simple tests and 'leeching' or trustworthiness is a claim speculation. It should be obvious with all that we both posted that anyone could get an idea about mine and your statements and decide by themselves.

Whether a vendor is approved or not to participate in the test is not public domain. Whether a vendor even applied to participate in the test is pretty much unknown save to the vendor itself and the tester. Professional testers have an interest to ensure public trust and confidence among their test results published for public consumption, but which vendors applied for participation, and succeeded/failed is not public domain, and something that concerns only the vendor and the tester. If the vendor is satisfied by the response provided by the tester that their product does not meet the minimum criteria, then so am I.

I prefer to hold a more pragmatic and realistic view of the situation, and am personally not too concerned with details that are irrelevant to the overall picture. I do not see how detection rate – a simple performance parameter that is measurable with flat numbers – can be a discriminatory criteria. Your concern so far, as I understand it, is that you are not privy to every single intimate detail about the tests, and hence something must be wrong. If that is what's worrying you, it would be prudent to seek clarification from the testers instead of succumbing to FUD, as I have suggested. From what I've seen they (the testers) are fairly receptive to public correspondence.

[gibran]

I like to think that it's a dynamic procedure in most cases. Elements of human judgment are invariably involved when we try to decide if other people are trustworthy. Complete reliance on a specific list of outlined steps and check boxes to tick off would on the other hand sound to me like an exceedingly flawed method to achieve this.

Elements of human judgment used to vet trustworthiness can also written on paper. It should not a difficult step to outline such methodological description.

Besides it looks like you are describing how people decide their private friendships. I wonder if with circle of trust you were referring to this.
Again considering your whole viewpoint  and not that single sentence I have to assume you didn't.

Of course you are. But that wasn't my question. What gives you cause for this concern, exactly?

I outlined my concerns in my previous posts. The entire AV ecosystem carry a public service task worldwide and is formed by many different entities and appears to be mostly self-regulated. Instead to implicitily trust the entire system I wish to know more about the specific details whereas I have concerns or speculations.

I do not know if sharing of biological viruses are bound by private agreements or not, so I cannot challenge you on that claim. Nonetheless, I would imagine it must be bound by regulations, in some form or other, in any civilized country. Those regulations might be private, public, and/or government-enforced via legislation. I believe you are very much mistaken in your claim that trade of biological viruses are unrestricted – at least, I hope you are.

I implicitely trusted you to not misrepresent my viewpoint before, I was too naive. I never stated that trade of biological viruses are unrestricted and I think that such regulations are not "private".

I don't have to make claims either as biological viruses are approached with much different attitude to the point there is a sovra-national organization.

Every year, the World Health Organization predicts which strains of the virus are most likely to be circulating in the next year, allowing pharmaceutical companies to develop vaccines that will provide the best immunity against these strains.

Besides I'll simply restate the obvious as you obviously missed my point.

Like methodologies are published and thoroughfully documented so should be vetting procedures.

To be more precise I guess I should state that I was not able to find a public and thorough description of such vetting procedures.

Once a methodology is published it is also possible to know how the end result (the test or vetting procedure) should be regarded.
This is the reason methodological paper are released along tests.

Methodological papers are not published on a whim they are to correctly interpret the end results and possibly know what could be inferred.

It's not as simple as saying I trust Jane Doe then her test is reliable, but I trust Jane Doe to carry her test following the stated methodology hence I can correctly interpret her results.

While I still think that public services or regulation would be a fitting alternative to the current AV ecosystem I can only add, for example, that that in case of public regulation the vetting procedures or application rejections are thorougfully documented even if not always publicly disclosed. I also assume Public regulations to be open for comments and improvements in order to better serve the public.

I prefer to hold a more pragmatic and realistic view of the situation, and am personally not too concerned with details that are irrelevant to the overall picture. I do not see how detection rate – a simple performance parameter that is measurable with flat numbers – can be a discriminatory criteria.

Like I said before.

Numbers do tell the truth (I could add within the stated published methodology)
They surely do for detection rates of known samples.

If it's all that matters.

Your concern so far, as I understand it, is that you are not privy to every single intimate detail about the tests, and hence something must be wrong. If that is what's worrying you, it would be prudent to seek clarification from the testers instead of succumbing to FUD, as I have suggested. From what I've seen they (the testers) are fairly receptive to public correspondence.

Yes I could privately email any AV company or tester out there who did not publicly and thoroughfully disclose its/her/his vetting procedures and methodologies  and ask for clarification and even speculate on eventual vetting differences.

I should also be ashamed for wondering about such irrelevant things, I guess.

Even if I cannot completely exclude that such vetting procedure are or will be publicly and thoroughfully disclosed I still feel such deregulation to be inappropriate for a possibly pandemic threat like computer viruses.

Besides I think the entire AV ecosystem should be regarded as a whole.

Even if each single entity of this system got an ISO-9000 certification that will only pertain a single entity as a distinct element from the whole whereas it's the entire AV ecosystem that carry the entire public service process.

[solcroft]

Elements of human judgment used to vet trustworthiness can also written on paper. I's not a difficult step to outline a methodological description.

Perhaps, perhaps not. But that article was hardly written to specifically describe vetting procedures as its purpose. I posted it as an example simply because you were describing sample sharing between vendors as "private agreements" that were dictated by "business logic" - a misleading claim at best.

I outlined my concerns in my previous posts. Instedad to implicitily trust the entire system I wish to know more about the specific details whereas I have concerns or speculations.

Your previous posts outlined bias, discrimination, "private agreements", "business logic", and malware not being shared because their collecters viewed them as "private property", among others. I take it that you have learned something from this discussion, that you are now at least willing to admit you have no idea if those elements as you describe them actually exist at all.

I implicitely trusted you to not misrepresent my viewpoint before, I was too naive. I never stated that trade of biological viruses are unrestricted and I think that such regulations are not "private".

Then what were you trying to state, exactly? If you were trying to say that trade of biological viruses are indeed restricted and bound by regulations, then you wouldn't have needed to raise the issue as a contrasting comparison at all. I suspect you know better than anyone else that your viewpoint has not been misrepresented. You raised the issue of biological viruses to challenge the current status quo of malware sharing being bound by regulations and agreements. But your example was faulty - and that's all there is to it.

[gibran]

Perhaps, perhaps not. But that article was hardly written to specifically describe vetting procedures as its purpose. I posted it as an example simply because you were describing sample sharing between vendors as "private agreements" that were dictated by "business logic" - a misleading claim at best.

IMHO that page as it is represent an inappropriate example because without an implicit context you are assuming it generates a circular reference.

IMHO it failed to thoroughfully explain what happens and while I could be inclined to trust it as it is this does not mean that a different link about vetting procedures and methodologies would have been more exhaustive. Provided it doesn't address what I obviosly tried to explain in my last post.

Your previous posts outlined bias, discrimination, "private agreements", "business logic", and malware not being shared because their collecters viewed them as "private property", among others

I wish you to remember that it was you who introduced the term discrimination in this discussion.

As you obviously misinterpreted many points I expressed, I still think that a per case individual agreement between private parties is what I consider applicable to private property.

Besides I guess I should explicitely state that I don't think that malware samples should be shared using a Creative commons license either

I take it that you have learned something from this discussion, that you are now at least willing to admit you have no idea if those elements as you describe them actually exist at all.

What I could grasp from your presentation it is the same 'Perhaps, perhaps not' you used few times already.

Then what were you trying to state, exactly? If you were trying to say that trade of biological viruses are indeed restricted and bound by regulations, then you wouldn't have needed to raise the issue as a contrasting comparison at all. I suspect you know better than anyone else that your viewpoint has not been misrepresented.

That was simply to point a different model implicitely neglected by your presentation.

You raised the issue of biological viruses to challenge the current status quo of malware sharing being bound by regulations and agreements. But your example was faulty - and that's all there is to it.

At least I see you to use the term agreement. You did not use self-regulation this time though.
I certainly did not state there are no rules and  I guess you could agree that there is deregulation.

[solcroft]

IMHO it failed to thoroughfully explain what happens and while I could be inclined to trust it as it is this does not mean that a different link about vetting procedures and methodologies would have been more exhaustive.

You could also be inclined to misgivings and continue to regard them as subject to "business logic" in such transactions even without any leads or evidence. Why the sudden generosity with the benefit of doubt now?

I wish I could provide you with more concrete evidence, but since I'm not an industry insider myself most of my knowledge of such matters are from anecdotal evidence during correspondence with those who are inside the industry. As I've said, I believe the same venue is open to you should you be genuinely interested in facts instead of simply taking the easy way out and subscribing to FUD.

I wish you to remember that it was you who introduced the term discrimination in this discussion.

The synonymical term, yes. The concept, no. And certainly at no point in this discussion was I a proponent of its existence; I believe that distinction belongs to you.

That was simply to point a different model implicitely neglected by your presentation.

And what model would that be? Regulations exist all the same. In the case of the pharmaceutical industry it is well-regulated by government and international bodies. In the absence of those bodies in the antivirus industry the vendors take it upon themselves to set self-imposed standards so as to preserve integrity and professionalism. You don't simply hand out samples to anyone who asks for it; that holds true for both drug companies AND antivirus vendors.

At least I see you to use the term agreement.

Yes, if only to describe your side of the argument.

[gibran]

Why the sudden generosity with the benefit of doubt now?

I did reply in a similiar way when you first posted that specific example.

I wish I could provide you with more concrete evidence, but since I'm not an industry insider myself most of my knowledge of such matters are from anecdotal evidence during correspondence with those who are inside the industry. As I've said, I believe the same venue is open to you should you be genuinely interested in facts instead of simply taking the easy way out and subscribing to FUD.

I don't wish to abuse your posted evidence either nor I wish to deliberately misrepresent your viewpoint.

Other than possibly deem my viewpoint as a conjecture and invite all possible readers to deem your presentation in much higher regard than mine and invite them to possibly read it from the begin there is nothing much I can do other that triggering an endless recursive dicussion every time you post something that IMHO falls in the "possibly, possibliy not" speculation.

This doesn't mean I can accept the current AV ecosystem like it is now and implicitely trust it nor that I cannot have any concerns until I have asked for informations all around the world.

The synonymical term, yes. The concept, no. And certainly at no point in this discussion was I a proponent of its existence; I believe that distinction belongs to you.

I guess this mean I failed to explain the distinction between vetting as end result and vetting procedures and methodologies.
I guess I have to explicitely state that if a methodology is flawed this does't mean it was deliberately designed that way either.

And what model would that be? Regulations exist all the same. In the case of the pharmaceutical industry it is well-regulated by government and international bodies. In the absence of those bodies in the antivirus industry the vendors take it upon themselves to set self-imposed standards so as to preserve integrity and professionalism.

Regulations are not all the same though. Self-imposed standards pertain a deregulation approach.

You don't simply hand out samples to anyone who asks for it; that holds true for both drug companies AND antivirus vendors.

I don't see the need to restate this since I explicitely said "Besides I guess I should explicitely state that I don't think that malware samples should be shared using a Creative commons license either" maybe I should have explicitely mentioned public domain licenses.

[Tags:]