Wednesday, June 27, 2007

more on whitelisting

or perhaps moron whitelisting... yes dave, i'm taking the bait with the emperor's robin bloor's new clothes article about the decline of anti-virus and the rise of whitelisting... and it's pretty good bait too, since i wrote the rise of whitelisting (anything look familiar?) over a year ago in response to something else robin wrote when his misguided anti-virus-is-dead campaign was still new (a day old judging by the posting dates)...

i haven't really seen much new material that i didn't cover myself in that first response - exotic execution, accuracy of local whitelist management, and scalability of global whitelist management are all outstanding problems with whitelisting... finding out that the whitelist vendors themselves admit to the unmanageable scope of their own efforts is one of the few new things that have come up since then...

robin doesn't address any of this, of course, and like the emperor's new clothes there really isn't anything there in his new article... 2 whitelist companies merged and became bigger than either was before - big woop...

the only interesting things were the comments on the register's mirror of the article... vesselin bontchev hit the nail on the head several times (and i'd expect nothing less, though i wouldn't have expected vess to be first to post on the register - ugh), but what interested me most was the suggestion that robin bloor's 'research' is funded by the whitelist industry...

clearly this would be some segment of the whitelist industry that is misguided enough to think that anti-virus companies are actually their competitors... it's apples and oranges though, av companies won't be competitors until they start offering whitelist technology of their own... what's so misguided about this, though, is that if they actually manage to take av's place on peoples' desktops they're ultimately going to wind up also taking av's place in peoples' cross-hairs... if they displace anti-virus then people will necessarily become just as disenfranchised with whitelisting as they are with anti-virus because whitelisting has failings too...

in the comments robin does admit that whitelisting won't stand on it's own and that additional technologies will be needed to complement it but weasels out of saying what... i suspect intuitively he knows the answer: at the highest, most abstract level, what complements a whitelist? that's right, a blacklist... though he expressly derides the idea as "positioning" in his article and says that you should nevermind it, the fact is that known malware scanning and application whitelisting are natural companions...

i want to call robin bloor a troll, i really do, but if he's being funded by whitelisting companies then what he really is is a shill... either way, i'm done with him - when my arguments (and most other peoples' arguments) now are the same ones i posted if march of '06 there really is little point in continuing with this... besides, considering the uptick i get in hits based on searches involving the term whitelist when he posts more nonsense, i'm pretty sure the counter-arguments are being heard without additional effort on my part so i can put that you are being trolled feeling to rest...

1 comments:

Anonymous said...

Vesselin active and expansive here.
http://www.wilderssecurity.com/showthread.php?t=164982