Slashdot Mirror

Could it be Personal observations on
the reliability of the Shuttle, by R.P. Feynman

A new study from email security company Mimecast shows that malicious links in emails are being missed by many security systems

Of The Six Dumbest Ideas in Computer Security, this is a combination of 1 (on the part of the MUAs) and 2 (on the part of the scanners). So, no kidding.

... says he was tricked by fellow co-schemers who told him they were not doing anything wrong by infecting computers with malware because they were not accessing private information such as banking or financial records.

I might have believed that claim 30 or so years ago. However, anyone having anything at all even remotely to do with technology would have to be living under a rock in order to not understand that infecting computers that you do not own is considered a serious crime.

That would be like claiming that you thought it was OK to drive yourself home after 6 drinks because you were careful not hit any parked cars or pedestrians and you made it home.

I would call that wilful ignorance.

I was originally going to say that this whole thing sounds like a case of #4 from "The Six Dumbest Ideas in Computer Security". Then I reconsidered because it seemed like he had "good" intentions. However, I cannot imagine who would hire this guy after the claim that he made that he did not know what he was doing was wrong. Definitely sounds like a case of #4.

It would be funny, except that people are paying the ransom and not getting their files back. Perhaps there will be a positive result here and people will start to get the idea that it is never worthwhile to pay the ransom and to keep backups instead. Oh, who am I kidding? That is #5 of The Six Dumbest Ideas in Computer Security.

I have used various versions of the FWTK to isolate test networks. There is an independent version of the code here.

If you (can find and) use the old version, beware of the author's reflections on his code.

As this has long been abandonware, I'd say that all of this code should be running in a chroot() as nobody should you use it. Also note that you'll need the -m32 compiler flag (in addition to many other changes) to get a clean build.

The opposite of "Default Permit" is "Default Deny" and it is a really good idea. It takes dedication, thought, and understanding to implement a "Default Deny" policy, which is why it is so seldom done. It's not that much harder to do than "Default Permit" but you'll sleep much better at night.

Are you going to list every possible misspelling of the websites? Enumerating badness does not work. Has not for a long time... http://www.ranum.com/security/...

Enumerating badness is a lousy idea.

Why is it that so many people seem to think that it's no big deal to open a connection to a random host on the internet? That puts you in yet another situation where you have to enumerate badness.

In this case, what you just described allows someone to probabilistically verify that someone saw a page (regardless of how they got the HTML - email/spam, HTTP, or a README.html found in a warez .zip). Marking links as prefetchable is something the malicious party can do on their own, so it offers zero protection, and a single packet all that is needed to track you.. Of course, we're not talking about a single packet, as this stupid "feature" does the entire transport layer including the SSL connection, not just the TCP 3-way-handshake.

I suggest thinking long and hard about what any of this data can be correlated with (temporally or as a matching surrogate key), remember that it doesn't have to work all the time. Single data points are usually safe on their own, but the pattern that emerges when you join someone's data trail together can be very detailed.

We need a reduction of data that browsers transmit, in this post-Snowden world.

The Six Dumbest Ideas in Computer Security

What does it say? Blocked from work.

The Six Dumbest Ideas in Computer Security

"The prescribed global standard doesn't work so we're just going to roll our own. Twice."
Great. Thanks for that. Not "we will penalise sites that don't allow OSCP pinning because we think it's necessary" but "bugger this, we'll apply our own definition of what can be trusted or not to every user"

The reason for using this alternative to the alternative is because any kind of blacklist-based security doesn't work. It rates #2 in the six dumbest ideas in computer security, with default-allow (which arguably is the problem that blacklists are trying to deal with) at #1. First there were CRLs, which don't work. They were replaced with OCSP, which doesn't work. Now we have cert blacklists, which are fairly recent so they haven't failed often enough for it to be obvious to everyone that they don't work, but give it time...

Once they fail, the browser vendors will come back with version 4 of the dumbest idea, then version 5, and then version 6, and they'll just keep on doing the wrong thing over and over and over until eventually it starts working, dammit!

The Six Dumbest Ideas in Computer Security

2007 is calling and wants their whitelist/blacklist technology back ..

`There is very good resource here comparing various host prevent/block whitelist/blacklist agents.'

You know, I agree with your sentiment entirely, which is why I feel bad calling this out:

A serious firewall would be a good start.

It's really not. In fact, the firewall is the last thing you should think about.

That's not just because there are so many exploits right now that are for all practical purposes indistinguishable from normal traffic, although that's a good reason, too. It's because the best defenses are always layered defenses, and those start from the inside out.

Far too often I see people begin and end at the firewall. Even if they intended it only be the start, they're thinking rarely progresses much further into the network... why should it? They think about all the stuff the firewall is going to catch, and it seems to take care of so many problems it's hard for them to imagine what else they need to do internally to lock things down. They've succumbed to the "enumerating badness" fallacy, classically described by Marcus Ranum in his must-read Six Dumbest Ideas in Computer Security.

That's exactly backward, though. Where you want to start is at your core data, with the assumption that everything else has already failed, and what can you do to mitigate the disaster of penetration at that last possible level.

Then you work your way out, doing the same thing at each level.

Because almost no one does this, firewalls today are the thin, crunchy shell over the juicy taste explosion of vulnerable systems that crackers crave.

First of all read http://www.ranum.com/security/computer_security/editorials/dumb/ item #2. You cannot "enumerate evil". Similarly big brother will find that they can't come up with an all-inclusive blacklist of "evil apps". There will *ALWAYS* be something they haven't thought of.email

Instead, it's much more effective to whitelist "harmless apps". So you'll end up with...

* an email applet
* a spreadsheet applet
* a chat applet
* etc, etc, etc

Either that, or the "general purpose applet" will be Facebook... bleagh.

Stop enumerating badness: Default deny.
http://www.ranum.com/security/computer_security/editorials/dumb/

Ranum pontificated on The Six Dumbest Ideas in Computer Security while back. Migrating to a more secure approach would be inconvenient for many and impossible for some such as those who cannot figure out how to configure a wireless password.

This is just Enumerating Badness. http://www.ranum.com/security/computer_security/editorials/dumb/ In other words, it is a game of whack-a-mole where you do not know there is a problem until after lots of people have been fucked. Like in AV software before heuristics.

As long as the user has no way to quickly and safely run something in a sandbox, this will continue happening.

IMHO, Once you give them the ability to run programs in a default deny environment, users can manage things fairly well.

See also: http://www.ranum.com/security/computer_security/editorials/dumb/

The Six Dumbest Ideas in Computer Security

No no... It's not a dumb Idea, well, not initially anyway, but you got it wrong, it's: Penetrate the patch.

The problems arise if you keep at it for long enough...

The Six Dumbest Ideas in Computer Security

Pretty much hit the nail on the head.

Polymorphic and Metamorphic viruses already exist and it's been proven mathematically that detecting such code is NP-complete.
(Spinellis, Diomidis; Reliable identification of bounded-length viruses is NP-complete, IEEE Transactions on Information Theory, 49(1):280â"284, January 2003. doi:10.1109/TIT.2002.806137)

http://en.wikipedia.org/wiki/Polymorphic_code
http://en.wikipedia.org/wiki/Metamorphic_code

The scanners are so bad at detecting viruses because it's an example of Enumerating Badness which is one of the 6 dumbest ideas in security which just won't die.

http://www.ranum.com/security/computer_security/editorials/dumb/

Rather than trying to keep track of the few thousand or tens of thousands of things that should be running on your own network and white-listing those you either try to keep track of everything bad in the world or pay someone else to. Then you try to blacklist those.
Thus you get an antivirus scanner.

The fact that Vista/7 is more secure than XP does little to counteract the habits and ecosystem of malware that exists to exploit people.

You think that Mac's do?

You've proven the GP's point. Bad user habits are the cause of spam, not MS's operating system and I dislike Winblows as much as the next person with half a brain.

However bad Windows is at supporting bad user habits, OS X actively fosters them. The Mac advertising gives people a false sense of security by telling them that they are magically secure. In actual fact the same kind of malware that is so prevalent on Windows systems also exists on OS X, the only difference is that Mac users beleive they are automatically protected by virtue of using a Mac.

The biggest infection vector in malware has never been technical (the OS), it's always been social (the user) and Mac's don't help this. In fact they make it worse.

Here are the six dumbest ideas in computer security,
Windows and OS X cover major dumbs 1, 2 and 3 as well as minor dumbs 3, 5 and 6.
OS X on it's own covers minor dumbs 1 and 2 as well as actively working against major dumb 5 (educating users).

Of those dumbest ideas, number 5 (educating users) is the most important because it's the only long term fix. But it's impossible to educate a user who believes they are magically protected. At least the overwhelming majority of Windows users acknowledge that there is a danger.

The losing strategy of trying to enumerate all the bad software in existence is so stupid because bad software outnumbers good software, so why can't we enumerate all the good software - all versions?

In theory you can never be sure that you've removed malware. A compromised computer is compromised forevermore.

I honestly think with enough smart people, the right technology and software you can make malicious software less of a problem. Here's an example:

rather than installing the antivirus on your PC, you take your virus ridden computer to the antivirus shop*. The idea being that the malicious people cannot learn from your antivirus or disable it. Especially if you inspect it offline...

* Oh shit! I've given them that idea.

You are a stupid fucktard.

Here's Richard Feynman's review of the Challenger disaster: http://www.ranum.com/security/computer_security/editorials/dumb/feynman.html
Here's the report of the Columbia Accident Investigation Board: http://caib.nasa.gov/

The root causes are exactly the same. People in decision making roles totally unqualified to understand risks, no accountability. With sadly predictable effects.

With Challenger, the o-ring erosion was ignored despite the fact that they were never designed to erode.
With Columbia, the foam falling off was ignored despite the fact that it was never designed to fall off.

In both cases, it's the same fundamental problem.

So do yourself a favor and learn some critical thinking before making an ass of yourself.

The solution to this problem has been known for a very long time... it's the principle of least privilege.

We've had 25 years to wise up and stop using a "default permit" based system and still haven't done so.

Here's a summary of the situation, for those who want to help push things in the right direction.

Your idea, while clever, isn't going to solve the problem. Javascript will just wind up being pulled in at the server side rather than through <script src="http://dooberidooberidoo....">

The problem is a combination of idiot ideas concerning computer security. Read something like "The Six Dumbest Ideas in Computer History" some time - it's eye-opening and it explains a lot. In the case of web browsing and Javascript, you've essentially integrated four of those ideas into basic computer use.

For those who haven't time to read the article, I'll summarise the idiot ideas that have made it into web browsing:

1. Default Permit. Why on Earth is it the default for most web browsers to run every single little thing they download? It's completely insane - seriously, I can't think of a better way to transmit malware than to sit somebody at a computer and give them a nice easy way to download and automatically run every silly thing they can find, even if the only thing they will run is supposedly sandboxed.

2. Enumerating Badness. We tell ourselves that it's OK to do this, as long as the end user (if they must run Windows at all) does so with half-decent AV installed. But AV works by keeping a list of "things that are bad" and blocking them all - you know how long that list is these days? You only need one thing to slip the net and your system's 0wned anyway. It's the computer equivalent of having sex with every disease-ridden cheap whore you can find working the streets and hoping to Christ the condom never breaks. The bad thing only needs to be lucky once, you need to be lucky every time.

3. Penetrate and Patch. Today the issue is at the server end. Four days ago, the issue was in Firefox (latest release was on the 9th December, it fixes a number of security holes). Next week it might be in Adobe Reader or Chrome. Exactly when did it start making good sense to play whack-a-mole with security holes? You don't see them building high-security prisons out of temporary Portakabins and then tacking extra things on in a blind panic every time inmates escape, so why are so many pieces of software that are likely to be exposed to malware designed in exactly this way?

4. Educating users. Telling people not to click blindly on every ad doesn't work, as anyone who's ever done serious amounts of user support can attest. You always have some people who will click on everything that appears on their PC, if education was going to fix that it would have stopped being a problem years ago. There's a damn good reason why larger companies frequently lock their PCs down so thoroughly they may as well be dumb terminals, and it's not because the IT department is run by a bunch of power-thirsty mini-hitlers. It's because it's the only way to stop the helpdesk being overrun with people ringing in to say "I clicked on this attachment and now I've got everyone complaining that I emailed them a virus. I didn't!".

I was talking about white-listing processes on systems which absolutely have to be secure.
As it stands antivirus software just blacklists virus code which is just an example of Enumerating Badness : http://www.ranum.com/security/computer_security/editorials/dumb/

*Default Deny
*don't enumerate badness
*forget about user education

This sounds really familiar. Are you the author of this article?

Let's face it, 100% of the users on the internet are never going to learn to practice safe sex. So say you get an infection rate of 20%, that's still plenty of garbage floating around. It's time to start implementing a default deny policy on executables. Shriner and others have talked about this for years and windows 7 has the ability to lock down the OS to only binaries signed by allowed certificates. Implementation on unix like machines is already starting and it would be simple to start adding further hooks into the kernel to block unsigned binaries from even entering address space. This is not to say the signing mechanisms won't be attacked but we have to start moving forward. Virus and e-mail scanners will always be one step behind unless they figure out preemptive solutions that work and don't effect the end user. Once you start making the OS difficult to the user you've lost sight of the whole point and they'll happily click around you're pretty little warning boxes anyway.

The internet is no longer safe, use a condom.

http://www.ranum.com/fun/projects/gazebo/index.html

Do you actually think that all IT and PC security companies have a giant cartel going, where they all secretly agree to suck? Somehow including all the "independent security researchers", which includes anybody with a computer, a clue, and some free software?

No. And no one is saying that.

Seriously? If there were some magic bullet, the temptation for one cartel member to make a giant pile of cash on it would be overwhelming.

You might want to look at this article.
http://www.ranum.com/security/computer_security/editorials/antivirus/index.html

There is no SINGLE solution that is 100% EFFECTIVE for EVERY scenario.

But the current focus on black lists is ineffective. At least white lists would give SOME degree of protection.

Much more troublesome, for security, is the fact that there are no known methods of secure computing that are economically competitive with insecure ones, not to mention the issue of legacy systems.

Fuck legacy. Seriously. I'm tired of everyone trotting out "legacy" as if it were some natural law.

A 100% brand new system today will STILL be vulnerable to the same attacks that were directed at the previous version of that system. That is simply bad design.

You can buy a lot of low end sysadmins re-imaging infected machines for what it would cost to write a fully proven OS and application collection that matches people's expectations.

And why do you need that?

Why not just a series of steps getting from the current disaster to a state closer to "best practices"?

Because there will always be "malware" does NOT mean that the situation cannot be improved. Instead of millions of machines infected, how about we aim for an environment where only 100,000 machines are infected?

A lot of server stuff in linux work so well that you can even forget that it is running at all, for years. Clamav is such kind of software, you install/configure it, set the automatic signature updates, and forget that it is there. But still, some periodic checks in logs that all are working as expected is good, even if is just some artificial ignorance well applied, specially when clamav started warning on this months ago.

Whitelisting executables has been around for a long time. There is general agreement that white listing is far superior to black listing. The problem is that to effectively use a white list, you need to become much more knowledgeable about your environment than is required with a blacklist. Back in the dark ages when I managed a bunch of Unix servers (of the million-dollar variety) at a university, we routinely used tricks such as mounting /tmp "nodev,noexec,nosuid" and using tripwire on system directories. This worked well because the manufacturer supported the configuration and anticipated that it would be used this way. This is difficult on Windows for two reasons. First, single person machines are not typically run with restricted accounts (Ignoring, for the moment UAC). Secondly, the filesystem layout was not designed from the start with a strict separation of data verses executable content. Adding either of these characteristics without hurting backwards compatibility (and therefore your happy customers) is nearly impossible. Here is a link to a fairly knowledgeable guy's experience with a few of the Windows tools a few years ago. http://www.ranum.com/security/computer_security/editorials/antivirus/index.html

The short answer is to get someone to read all your logs daily and email you only if there's something non-routine in them. That will find anything that gets logged, so you will have good coverage and rapid notification.

Since no-one in their right mind is going to offer that service for a reasonable price, you can have cron run an 'artificial ignorance" script nightly. The tern coems from Marcus Ranum, and there's a complete discussion of filtering syslog at Sherlock Holmes on Log Files.

In practice, I get a few emails a month about new things, and add them to the list in the script if they're uninteresting.

--dave

While we're requiring the ISP's and customers to do things ....

would it hurt to require people to have some kind of monitoring program?
And what would it hurt to require ISPs to scan for certain keywords in communications or filter websites or other channels of communication we don't like?

Also on a practical note rather than a philosophical one:
scanning/filtering like you describe falls under "Enumerating Badness"
http://www.ranum.com/security/computer_security/editorials/dumb/

"To strengthen the future cybersecurity environment by .. working to define and develop strategies to deter hostile or malicious activity in cyberspace"

How about designing an Operating System that strictly differenciates between code and data - and don't download code from the Internet, except from a well defined whitelist of known secure and verified sources. And don't allow the excecution of code by clicking on a URL or opening an email attachment.

"The EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity using signature-based intrusion detection technology"

Except enumerating badness is a bad idea, and if the computers didn't arbiterarly execute code coming in off the Internet then you wouldn't need to analysis of network flow of information. Such a monitoring system itself being open to abuse. Your one stop shop to hacking the entire grid.

The Tale of Wise Master Sun and the Production Network

Master Sun was visiting with his friend Willow Blossom, who ran a mission critical network for a large E-commerce site. Blossom complained, "I hate software these days; I cannot trust that my system will work from one day to the next because code is so buggy. I am losing sleep, and my hair is falling out." Master Sun opined that this was tragic because Willow Blossom's hair was a gorgeous cascade of deep black - as black and shiny and deep as a null device on a spring morning. He bowed and excused himself, and asked for an audience with Prince Ciao (pronounced "Cee Eye Oh") who was lord of Willow Blossom's castle. He took a brush, and on the floor of the audience chamber wrote in ink:

1) Set up the production systems

2) Make them work

3) Test them

4) While true; do

If they are working; Continue; Endif

If they are not working; GOTO 2; Endif

5) Done

Prince Ciao studied Master Sun's writing for weeks even to the point of missing his golf games, and was finally enlightened. He summoned Willow Blossom and explained Tzu's wisdom, then had her head and its beautiful hair mounted on a stick in the NOC as an example to the others, even though it was his own policy that Willow install patches as fast as they came from the vendors. The next time Master Sun was invited to the castle, he politely declined.

During the 90's we were assaulted with a welter of products, the majority of which were half-assed and largely useless. And during that time, because Prince Ciao read all the marketing literature and WIRED magazine, network and system administrators were forced or "encouraged" to field beta-test code at an absolutely insane rate. The mainframe programmers of the 70's and 80's used to write of a practice called "Change Control" - in which production systems were managed with care and forethought. During the late 90's the last of the Change Control believers were taken out and shot, and their cubicles were given to the consultants who were there to mark everything up in XML in order to make everything better in some manner nobody understands yet. During that time, security practitioners were forced to repeatedly bend over and grip their ankles by business units that had already spent good money on bad products so by golly they were going to field them because otherwise Prince Ciao would have their heads. Of course nobody wanted to admit that. In 2000 I was Prince Ciao for a small start-up. Our sales VP went over my head to the CEO and bought the company Seibel's sales/customer management tool at the incredibly low price of only $500,000. Of course, it required 3 consultants working for 9 months to learn that it actually needed 5 consultants working for 12 months to make it work. I began to sharpen my stake. The icing on the cake was the discovery that Seibel required the use of Internet Explorer in order to function properly. Guess what happened? Explorer went in, of course. Where was Master Sun when I needed him?

"It's not as dumb as you may think. Security is based on a layered approach. If your firewall was down for some reason then the next layer of "security" would be your web app security .."

The Six Dumbest Ideas in Computer Security

Let me introduce you to the six dumbest ideas in computer security. What are they? They're the anti-good ideas. They're the braindamage that makes your $100,000 ASIC-based turbo-stateful packet-mulching firewall transparent to hackers. Where do anti-good ideas come from? They come from misguided attempts to do the impossible - which is another way of saying "trying to ignore reality." Frequently those misguided attempts are sincere efforts by well-meaning people or companies who just don't fully understand the situation ..

"'Following the recommendations does not pose a significant threat as of now, but it has a very big potential of being one,' the company's researcher, David Sancho, writes on theTrend Micro blog."

It won't make a bit of difference,as AV software don't work already. A more realistic solution being to allow a whitelist of know good software.

'Why is "Enumerating Badness" a dumb idea? It's a dumb idea because sometime around 1992 the amount of Badness in the Internet began to vastly outweigh the amount of Goodness'

> Where's the value/point in releasing another limited-utility webserver?

Well...that depends I suppose. I don't think G-WAN is worth paying attention to, but Marcus Ranum semi-famously wrote a "limited utility" web server for an porn site that was both very fast and very secure in 1996, and still was a decade later. I agree with his point that not everything requires Apache level functionality, and all those bells and whistles come at a cost. Right tool for the job and all that.

http://www.ranum.com/security/computer_security/editorials/master-tzu/

I truly believe that the patching fad in which we are currently living is not going to last much longer. It can't. In another couple years, we'll have one full-time patcher to each system administrator. What's odd is that if companies simply exercised a bit of discipline, it wouldn't be necessary at all. Back in 1996 a buddy of mine and I set up a web server for a high-traffic significant target. It was not the Whitehouse; it was a porn site. We invested 8 hours (of our customer's money) writing a small web server daemon that knew how to serve up files, cache them, and virtualize filenames behind hashes. It ran chrooted on a version of UNIX that was very minimized and had code hacked right into the IP stack to toss traffic that was not TCP aimed at port 80. 10 years later, it's still working, has never been hacked, and has never been patched. If you compute the Return On Investment (Or ROI in the language of Prince Ciao) it's gigantic.

Doesn't this (finally) put to bed the notion that there are virtually no worms or viruses for Mac OS X simply because hackers don't want to waste their time on a platform with so little market share?

Well, my personal opinion is that OS X doesn't get as much malware because its security model is better then Windows' in at least one crucial way: it has the Unix concept of the executable bit, which turns the system from "default allow" to "default deny" and so locks out a huge number of traditional Windows vectors (the auto-executing email attachment, the auto-executing drive-by download, the auto-executing IM attachment, etc., etc.) in one fell swoop. As others have said, "default allow" is the dumbest idea in the history of computer security.

But as for people putting in their time, well, I don't know if you noticed but if you come up with a crack for something produced by Apple you'll end up with 5.75x10^600 pageviews from the resulting press coverage (see: pwn2own, which has basically become a luck of the draw contest -- if you get to go first, you win because you're sitting on a canned exploit you kept secret solely for the contest). And certain types of people love that sort of attention.

If you had the power to change up to three things in the world today that are related to IT security, what would they be?

Internet design--that's enough.

That's it? What's wrong with the design of the Internet?

There's anonymity. Everyone should and must have an identification, or Internet passport. The Internet was designed not for public use, but for American scientists and the U.S. military. That was just a limited group of people--hundreds, or maybe thousands. Then it was introduced to the public and it was wrong...to introduce it in the same way.
-- unquote --

That's total BS, what's wrong with the Internet is the vast networks of compromised desktop computers co-opted to be used as botnets to provide spamming and phishing services to the criminal sector. The vast majority of which run on Microsoft Windows. And people like you making a good living out of selling 'security' solutions. If everyone on the planet switched off their office 'computer' when they went home from work, the amount of spam/malware on the Internet would drop by over a half.

There is nothing wrong with the Internet, it performs as designed. It delivers packets to-and-from IP addresses. It doesn't know or care what's in 'em. Nor should it, that would break the design. Security should be handled at the end connections. What would cure the current smam/phishing/malware infestation is to design a desktop 'computer' that don't get infected by opening an email attachment or clicking on a URL.

"If I were Bill Gates, I'd run another company--100 percent owned by Microsoft--that produces the antivirus under a different brand"

It's never occured to Kaspersky to suggest that Bill Gates design an Operating System that don't rely on AV to protect. As Marcus Ranum once said enumerating badness is a bad idea since, ' the amount of Badness in the Internet began to vastly outweigh the amount of Goodness '.

So basically because people like Kaspersky have failed at security, and want to implement an Internet Stasi (Staatssicherheit). I don't think so. There are enough people out there that'll see it don't ever happen. --

'Kaspersky Lab UK provides the leading antivirus and spyware software'

please by more of my bogus 'security' solutions - nuff said .. :)

The Six Dumbest Ideas in Security. In this particular case: "#5 Educating Users". A couple of choice quotes:

If "Educating Users" is the strategy you plan to embark upon, you should expect to have to "patch" your users every week. That's dumb.

The real question to ask is not "can we educate our users to be better at security?" it is "why do we need to educate our users at all?"

I've already posted we need to stop blaming the user and start blaming the authors of the system (Microsoft). The problem isn't some PEBKAC thing where a user is clicking on what they think is AV software and accidentally ruining their system. The problem is that the system allows them to do it in the first place. A run of the mill, standard user shouldn't be able to this in the first place. Why is it happening at all?? What important feature is being provided by the OS by allowing user to do this?? Some feature of installing AV software so it can prevent other fake AV software from installing? This is lunacy!

A meta-problem is that industry and environment has trained users to expect the OS to be broken in a way they need protection ("Oh look a new AV program that is 1000% better than my old stuff!") but that is another thread.

"let's argue that there are secure ways antivirus protectors could learn about all installations of software -- good and bad -- that any of their end-users perform. Let's also assume that they could easily collect other data from these machines and users: geographic location, social networking information, type of operating system, installed programs and configurations"

What's going to protect us from defects in these security systems? Wouldn't giving these malware monitoring systems access to computer networks lessen security rather than enhance it? And isn't this the case that in order to be protected from spyware, I have to let this security system spy on me ? And didn't someone once argue against enumerating badness as in it's a bad idea. Because .. 'the amount of Badness in the Internet began to vastly outweigh the amount of Goodness'.

Why does this industry suck so badly? Anyone have any insight?

Windows is a wildly popular OS but unfortunately improperly secured, which combined with the rise of network connectivity and the fact Windows users tend to install things they found "on the net", has combined into the perfect malware platform. It also doesn't help that there are a miriad applications for Windows, with varying levels of quality, many of which re-invent the wheel instead of relying on common libraries, and thus reintroduce the same vulnerabilities over and over.

What to do about it? Why, of course, let's attempt to classify ALL possible pieces of malware out there and attempt to keep track of them AFTER they've entered your PC. 'Cause that makes much more sense than, say, DEP and ASLR, mandatory whitelists of software that is allowed to run, or *gasp* FIXING bad software.

In today's day and age blacklisting is utterly stupid. It may have made sense back in the 80's and 90's when there was much fewer malware, but they have grown exponentially since then.

Right now the antivirus companies are just running a protection scheme and interested in perpetuating the status quo. They don't want malware to go away. Malware is their bread and butter.

"The (untrue) assumption that many people seem to hold (is) that...", patching actually is a "best practice", when it's not.

Marcus Ranum has a interesting and humorous take on patching that spells it out much better than I could.

The short version:

• Patching is a substitute for good design
• Patching exists for the simple reason that there is a rush to get products out the door, rather than take the time to ensure that they are secure

This is true of 99.9% of software in use.

The only solution is to make a system that uses a whitelist. But whitelists suck. So we need a whitelist that doesn't suck.

The first step is to have all the email clients start digitally signing emails. It is trivially easy to forge the headers on an email, so it would be stupid to trust them for identity information.

The second step is to have email servers check the identity against the whitelist. If the digital signature is invalid, or the credentials are forged (message was digitally signed, but the announced public key of the sender doesn't match) the message is trashed, with no error message sent. If the signature checks out, but the sender was not on the whitelist, the message bounces back to the sender, with an explanation ("you weren't on the whitelist, sorry").

Okay, but whitelists suck. If my best friend from college wants to track me down and send me an email, I want him to be able to do that; but I don't know his email so he's not on my whitelist. So, we need a solution to this problem.

My proposed solution is that your email server should advertise a list of ways that you will accept to bypass your whitelist for a message. One possible way: attach a micropayment of five cents. Another way: attach a certificate showing that your computer worked for an hour on some worthy problem like protein folding at home or something. Another way: here's a URL of a web page; it contains some riddle... attach the answer to your email. I'm sure you can think of other schemes to make it possible for a friend to bypass your whitelist while not enabling zombie Windows clusters to spray spam into your inbox.

There are other refinements possible. Your whitelist can accept, not just individual signatures, but "badges" from some organization. So, anyone from Mozilla.org can attach a Mozilla.org badge to their emails, and I can allow all Mozilla.org emails through. IEEE member badge, SourceForge.net badge, Apple.com badge, go nuts. Even an organization of "I Swear I Will Never Send Out Spam". The key with the badges is that, if you get kicked out of an organization, you have to lose access to the badge. One simple way would be for the check to be live: if you attach a Mozilla.org badge, the Mozilla.org server had better agree that your identity is one known to it.

The current email system is a "Default Permit" system (the #1 dumbest idea on this list). It has to change.

This system would run on the infrastructure we already have, with a few additions. You could have one account with the whitelist, and another account without... but the one with the whitelist is the only one that pages you, or whatever. The important thing is that this doesn't require everyone in the whole world to adopt it before it starts to become useful. Mailing lists would still work, because when you sign up for a mailing list you would add that mailing list identity to your whitelist (probably a badge, such that members of the mailing list are then cleared to email you directly, through the badge).

Someone may claim that validating public key signatures is computationally expensive. No, not compared to running complicated heuristics over the content of a message, trying to guess whether it's spam or not (SpamAssassin and other systems). With this system, the server doesn't attempt to classify a message. Either it passes the whitelist, it's bounced back to the sender, or it's deleted. Done.

Now, if you have found a hole in this idea, you will score bonus points by explaining how to fix it, not merely pointing out that I am an idiot.

steveha

"We purchased a 25K euros firewall last month with which we had some issues"

What for, all you needed was a redundant PC and SmoothWall, not that a firewall is much good in this day-and-age of RPC over HTTP and various apps allowed to open most any high port. Firewall were only really useful when the original nix system only allowed 'root' to open low ports for sending, so any packets received (nix-to-nix) from one of these ports was deemed semi-validated. Whatever, read what an expert has to say on Firewalls and security.

"using firefox to type adresses in the search bar, nothing was responding"

Why not have a heartbeat applet running on the firewall that SMSed your phone in the event of an outage. That way you don't have to set up camp in the server room, clicking on things ..