Internet Security Moving Toward 'White List'

ehud42 writes "According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer will replace the current 'black list' system' as described in an article on the CBC's site. The piece mentions some issues with fairness to whose program is 'safe' including a comment that judges need to be impartial to open source programs which can change quite rapidly. Would this work? The effort to maintain black lists is becoming so daunting that white lists may be an effective solution."

Follow the money

[mdm42]

Sounds to me more like a scheme to squeeze money out of software producers: "Give us teh money if ya wants yer program whilelisted."

Not going to happen

[MadMidnightBomber]

Can someone send me a list of all IPv4 hosts which are not malicious? k thanx bye.

PS. please can you also send me an update whenever a new machine is compromised?

What about Javascript?

[Beryllium+Sphere(tm)]

A lot of the work my computer does for me happens via Google's Javascript. Will I have to whitelist it all over again every time the gmail implementation changes? If it's whitelisted by domain, then you still have to protect against cross-site scripting attacks somehow (all hail NoScript!)

The whole idea of a program being a quasi-static executable installed locally is starting to seem quaint.

Is it me

[damburger]

Or is this going to really screw small-scale windows developers?

Seems to me to be a blatant attempt by the big boys to lock users into their software (or software from companies they have an arrangement with. Since the majority of users probably won't know how to disable this 'feature', they will have less choice, and therefore higher costs.

Re:Is it me

[beakerMeep]

maybe, but coming from symantec this is just marketing tripe for their own services or future services. As an approach to security this already takes place. Think of firefox or a firewall asking you "are you sure you would like to run this program?"

Though it does seem like they are position themselves to be the gatekeepers of all software, good or bad. Want to run a program? Don't ask the user, ask Symantec. People wont stand for that though. There is a certain level of control over a computer most users are willing to give up in certain circumstances to the OS or an outside party or the like, but this is total control. Even novice users would probably find some piece of software they wanted to run that wasn't in the system and get annoyed at symantec for breaking their computer while more technical users would likely never want to be early adopters of something like this.

not only that, but I wonder.... wouldn't the list of "good" software be unimaginably larger than the list of malicious trojans and viruses?

Think about that number for a second. The only way they would ever look good would be if every single one of the users only ever ran software on the list. So for each user that uses dozens of applications, if even just one of those dozens isn't on the list, they are going to blame symantec.

sadly i don't think this will stop them from trying to pull this off anyways and at least getting a small userbase of complete novices and maybe corporate IT depts that want to lock down the drones.

what about the small developer?

[rucs_hack]

Take me for example. My open source software has a tiny number of users, being very specialised, and I'm not alone in having this class of software. We can't all be Apache developers. How will people like me get their program approved? Is it going to cost money? That's what I want to know.

I'd be interested in knowing how they deal with the fast release cycle of open source software (excluding mine, oh for a 48 hour day...).

I'm pretty keen on the whitelist idea though. If nothing else it'll make malware more inventive, they'll start imitating the fingerprints of validated software.

High time too

[jimicus]

The Internet in general terms started moving in this direction years ago when people started to configure their firewalls to block everything and allow only what you need through. Previously it was reasonably common practise not to have a firewall at all - or if you did, all it did was block against things which were known to be malicious.

It is a lot of work to maintain any whitelist of any significant size. But the reason you do it is because it's a lot more work to maintain any blacklist of any significant size, and even more work still to clear up the mess after something slips the net.

I thnk residential ISPs will be the first - I'd be surprised if it was even possible to connect outside your own ISPs network. Email through their SMTP server, web access through their proxy, sucks if you want any other service your ISP doesn't provide. Some of the more expensive ISPs may set up some sort of "sign a disclaimer and we'll let you do anything, but we reserve the right to pull the plug if we see so much as a single malicious packet" system.

Re:What happened to good OS design?

[chocobot]

Check out Usable Interaction Design
Also relevant: Capability security.
E Language
Capability Security

Re:Agreed... NoScript is outstanding.

[walt-sjc]

Maybe a "NoScript Plus", like adblock plus, where a few trusted individuals (or a reputation based system) can be used to maintain an "auto-whitelist" for noscript. Users could then choose the level of "auto" whitelisting they wish to use... None (which is like it is now), Trusted Major Commercial (allowing google, yahoo, etc.), etc. I personally would choose None, but I can see that non-technical users would opt for someone else to maintain the a list (that they could still override locally.)