Slashdot Mirror
Internet Security Moving Toward 'White List'
ehud42 writes "According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer will replace the current 'black list' system' as described in an article on the CBC's site. The piece mentions some issues with fairness to whose program is 'safe' including a comment that judges need to be impartial to open source programs which can change quite rapidly. Would this work? The effort to maintain black lists is becoming so daunting that white lists may be an effective solution."
I'm all for this idea. We're counting Flash and Javascript as external programs too, right?
My Internet security philosophies have always been drop 'em all, let iptables sort 'em out!
They're using their grammar skills there.
Sounds to me more like a scheme to squeeze money out of software producers: "Give us teh money if ya wants yer program whilelisted."
New mod option wanted: -1 DrunkenRambling
Can someone send me a list of all IPv4 hosts which are not malicious? k thanx bye.
PS. please can you also send me an update whenever a new machine is compromised?
"It doesn't cost enough, and it makes too much sense."
A lot of the work my computer does for me happens via Google's Javascript. Will I have to whitelist it all over again every time the gmail implementation changes? If it's whitelisted by domain, then you still have to protect against cross-site scripting attacks somehow (all hail NoScript!)
The whole idea of a program being a quasi-static executable installed locally is starting to seem quaint.
Or is this going to really screw small-scale windows developers?
Seems to me to be a blatant attempt by the big boys to lock users into their software (or software from companies they have an arrangement with. Since the majority of users probably won't know how to disable this 'feature', they will have less choice, and therefore higher costs.
If we can put a man on the moon, why can't we shoot people for Apollo-related non-sequiturs?
Why? Because AV vendors want your money.
With a whitelist, the user clicks 'Accept' for everything he runs. Then he's protected until he installs something else.
Blacklists are great since they require yearly subscriptions.
isn't the flip side of this that now you're only allowed to run approved programs on your computer? Only IE is approved for web browsing, only MSN Live is approved for instant messaging. I know that I, for one, welcome our corporate overlords.
White lists have been proposed since the beginning of time - from web filtering to spam provention, and now to malware provention - and they all suffer from exactly the same problem, which is the fact that humans are not all identical clones of each other, and neither consume information in the same way, nor communicate with others in the same way.
Commodore 64, Loading up the dance floor!
This application has not been signed by Microsoft. Do you want to run this application? Yes/No
Are you sure you want to run this application? Yes/No
Are you really sure you want to run this application? Yes/No
I mean, if it's not Microsoft, it's not really "official", what makes you sure you should be running this application. You probably shouldn't. There's a nice Microsoft alternative which is "official". Wouldn't you like to download that instead? Yes/No
Deleted
anyone has ever suggested about computer security.
"A week in the lab saves an hour in the library"
Certificates were intended as a white list: you protect the submitted data and have certificate from a central authority that this is indeed the company the certificate says it is.
We know how this ended (certificates given left and right without proper verification).
Now they try again with new certificates, which are more expensive.
So that's about that part.
What about site filters. Whitelisting sites in security suites has got to be the dumbest idea I've heard in a long time. Last I checked there's like billions of pages out there, some of which safe and some not.
So now that we find it impossible to cover the entire subset of malicious pages, what do we do? Yes, we try to cover the even great subset of legal pages.
This will either end with many small harmless sites filtered out, or sites having to pay ransom to all security suite vendors out there to get whitelisted or something of a similar nature.
Not happening.
Take me for example. My open source software has a tiny number of users, being very specialised, and I'm not alone in having this class of software. We can't all be Apache developers. How will people like me get their program approved? Is it going to cost money? That's what I want to know.
I'd be interested in knowing how they deal with the fast release cycle of open source software (excluding mine, oh for a 48 hour day...).
I'm pretty keen on the whitelist idea though. If nothing else it'll make malware more inventive, they'll start imitating the fingerprints of validated software.
This is not a new idea, and many have talked about it before
Really, black lists were a bad idea from the start. Usually, the programs people want to run on a computer will remain fairly static, with perhaps a few changes when they update or find something online that looks interesting.
I'm sure they're must be some security software that uses whitlists already. Does anyone know of any free ones?
The Internet in general terms started moving in this direction years ago when people started to configure their firewalls to block everything and allow only what you need through. Previously it was reasonably common practise not to have a firewall at all - or if you did, all it did was block against things which were known to be malicious.
It is a lot of work to maintain any whitelist of any significant size. But the reason you do it is because it's a lot more work to maintain any blacklist of any significant size, and even more work still to clear up the mess after something slips the net.
I thnk residential ISPs will be the first - I'd be surprised if it was even possible to connect outside your own ISPs network. Email through their SMTP server, web access through their proxy, sucks if you want any other service your ISP doesn't provide. Some of the more expensive ISPs may set up some sort of "sign a disclaimer and we'll let you do anything, but we reserve the right to pull the plug if we see so much as a single malicious packet" system.
I would like to see an OS that maintains
several rings (concentric circles) into which programs can qualify
through increasingly rigourous standards and testing as they
get closer to the central core ring of software.
So essentially this OS would have a core ring of whitelisted and essential
programs. Just outside this would be a 2nd ring of whitelisted but
optional programs.
Then a ring of "grey listed" (reputationally vouched for, for both security
and usefulness and quality)
Followed by a "wild west" outer ring.
The OS would be designed so that programs in a more outer (less trusted,
and less essential) ring, could not have any access to the memory or disk
areas of more inner programs, and could only ever use the services of inner
programs through narrow public interfaces supervised by the OS.
Where are we going and why are we in a handbasket?
For instance, users in a corporate environment where setups are exactly defined and IT can check out in advance what works.
/. crowd: forget it, the whitelist wil annoy you more that it helps ;-)
For a private user with a mostly static set of application, it should still work but expect the occasional blocked program.
For developers and the rest of the
C - the footgun of programming languages
This leads to the conclusion that all other "security"-companies where either in bed with Sony, or that their "security"-products are utterly useless. I'm not sure, which is worse.
So why again should I give a rats ass about the opinion of those guys, when it comes to security?
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
I think people should look at the big picture before taking this too seriously as a security measure: Programs only run on a system if they are either started by the end-user, or started by some other code on the system which has explicitly allowed that program run. Put another way, the current first line of defense is a 'white-list' like approach where processes only run when they are allowed to run.
The problem is that there are lots of people / large software monopolists in the world who don't know how to code well, and this creates security flaws which cause this authorised code to do things on behalf of other code, including possibly executing arbitrary.
This code is then theoretically built on top of a kernel which attempts to restrict what the code can do even if it is executed (of course, often there are flaws here too, and often the exploited code is run with more privileges than it should have, so the entire system can be compromised).
Virus scanners and other security software of this kind are supposed to provide an extra, reactive layer of defense on top of the existing proactive measure for anything which slips through the cracks. Suggesting that they be turned into another white-list is therefore not a logical suggestion, and implies that they are not being entirely honest:
* They might just want to create hype to utilise unsuspecting journalists to sell more of their products for them.
* Perhaps this is part of another Digital Restrictions Management style plot to take the decisions of what runs on computers from computer owners and give it to some central pseudo-authority so they can (mis)use the power for their own purposes.
X-Has-Sig: yes
It won't just be "you're on the list, welcome to the party" but access to each resource will be given only if that particular access is whitelisted.
You already see this in some security programs, where program A is white-listed for ports 80 and 443, program B is listed for ports 20 and 21, etc. etc. etc.
Eventually, this will be locked down even more. Program A may be whitelisted for port 80, but only for the purposes of self-updating or reporting bugs to its manufacturer, and only to a short list of domain-names or IP addresses.
Within a web browser, not only will add-ons like flash and Java have their own restrictions, each add-on will have its own restriction. Java implements a version this already, allowing applets: it's supposed to let talk to home base but not much more.
I also see the rise of ordinary applications running in a full or lightweight VM, with applications in different VMs talking to each other over a virtual network rather than through shared memory or shared files. Rogue or compromised applications in a VM will be limited to what they can do, much like a chroot'd or BSD-jailed application, only more so.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Being a gatekeeper in a whitelist scheme is a great business opportunity:
After all, businesses would be willing to pay to get their products into said whitelist, while one hardly expects virus makers to pay for getting their creations into a blacklist.
Of course, i'm sure the Symantec guys are naturally not at all thinking of all those extra $$$
Indeed, the only possible "success" from the whitelist idea is that the Internet morphs into television (shudder).
Q: Where has the Internet failed?
A: Its main proponents and enthusiasts ignored Drivers' Ed for the info-superhighway. They didn't teach people how to use web browser and email programs, didn't show how to read a URL and pay attention to the protocol and domain, nor instill the habit of mousing-over links to see where they go beforehand. Teaching people about the padlock symbol should have also included how to deal with SSL certificate alerts.
The result of this neglect is that people cannot recognize authenticity on the Internet, so the value of the Internet's "currency" is spoiling. Imagine if people weren't clued-in on how to authenticate a $20 bill: Over time only certain government and corporate entities would be trusted to handle currency to prevent spoiling by counterfeiters.
Our job as Internet cognoscenti is to keep correcting the people around you on the right way to use Web and email. Granted, this is not a cure-all given the other major factor here (Windows malware) but its several steps in the right direction. This stuff is not hard.
The alternative is an Internet-II re-worked around big corporations and government sites through a whitelist enforced by Trusted Computing remote attestation. Don't think they won't be opportunistic enough to scare the public into that corner.
There is only one problem with this approach: once you install a white list, you no longer have a general computing device (short: computer), but an embedded device. You are limited in what you can do by what is on the list.
Developers will be the first to notice: you can still write and compile a program, but you cannot test it. But the typical user will also be affected: what about the useful firefox extension you like? Bummer, not on the list. Want to use facebook? Sorry, the javascript in the new version is not approved.
The white list is a pretty futile anyway, because you can program on several levels. Javascript is only an example: what if the browser is approved, but your javascript code does nasty things? Or what about a heap overflow in the browser? Suddenly you are running custom code, but how is the white list going to notice this?
1: What kind of person even remotely interesting in anything "Internet Security" would even consider dreaming about considering taking Symantec seriously?
2: Didn't we have this discussion not too long ago except the "List" would've been administered by MSFT (&co), called TCPA (then Palladium then NGSCB then OMGWTFBBQ) and be a little bit more "hardware-assisted"? (For anti-microsoft-fanboy coverage, check out AgainstTCPA, for msft coverage try Microsoft, Wikipedia has some rather neutral insights)
You may be more right than some probably realize. See, whitelisting is essentially all that "trusting computing" was about.
Yes, "trusted computing" had all that DRM stuff and crypto signatures and all components authenticating themselves and their drivers, but essentially that's what you need to have a bullet-proof whitelist.
- E.g., if you don't have a strong hash to be sure that it indeed is the program you think you're running, and it's an untampered executable, then you don't really know what you're running. (E.g., if you were to do it just by name, and you allow, say, "WoW.exe", then you'll also run a virus attachment called "WoW.exe" just as cheerfully.)
- E.g., if you don't make the system startup itself bullet-proof, people will use spoof drivers and whatnot to compromise that security
So basically we're essentially back to the same Palladium shit that we ranted and raved against as the great Satan. It's what MS wanted in Vista in the first place, but apparently realized grudgingly that noone else wanted. And _of_ _course_ Vista would be on the list. In fact, better than that, Vista was supposed to be the one enforcing it. (Which, if you think about it, is pretty much needed. If the OS doesn't do it, and doesn't double-check its startup and components at that, any other link down the chain is not guaranteed to be guaranteed enough to be the uncompromised.)
So now it's snuck back under the same claim that you need it to protect you from the evil hackers. Right.
Well, the problems are the same any way anyone wants to slice it. E.g.,
- it essentially discourages running stuff you compiled yourself. (Just changing the options you compile a kernel with, for example, is enough to change the hash, if the hash is any good. So essentially the only safe thing a "trusted computing" system should conclude there is that the system itself has been tampered with and is no longer secure or trustable.)
- it places an undue burden on small time developpers and hobbyists. I know if I was distributing a small utility on sourceforge, I'd be annoyed if I had to re-certify it every time I refactor something or fix some obscure bug. Doubly so if it costs anything to get it certified, which would likely be the case if a commercial entity is doing it. Getting it virus scanned, ran through some automated heuristics, hashed, and put on the list, can take some time and infrastructure and a paid employees time costs money.
And, frankly, even if it was something as trivial as 10$, why would I pay it for something that makes me no money? It'd be like ROI except without the R. And if you want it thoroughly dissected and certified that it 100% can't possibly be a virus, then it'll cost a heck of a lot more than that.
- it can be used to shaft you the other way around too. A program can authenticate the system it runs on, and some might even need to. (E.g., I sure hope an anti-virus utility pipes up loudly if it thinks it runs on a system where the OS itself has been compromised. E.g., I sure hope a banking applet pipes up loudly if it runs in a browser that's been compromised.) So there's nothing to keep someone from making a program that refuses to run in Wine or a flash applet that refuses to work in Mozilla.
And if you think noone other than MS would ever do that, think again. There was this recent story even on Slashdot about webmasters who explicitly don't want Mozilla users because they block their ads.
Etc.
A polar bear is a cartesian bear after a coordinate transform.
...That if people could start using more secure OS's, meaning more of the necessary apps gets developed for said OS's, white, black, grey etc listing wouldn't be needed. I think all PC's should have a sensor, which senses if a certain user is going to do something stupid, then knock said user out with a blunt (and semi soft) instrument, pick it self up and run away. The bane of PC security is users doing stupid things. (This is coming from a guy who just have had to spend a day cleaning out RavMon from a bunch of Windows PC's because some schmuck tried to download some games over Limewire and thought Hitman: Bloodmoney really only is 5mb, somebody have to teach people how to pirate properly, since improper pirating spreads viruses)
Frankly, I'm not all for this idea. It creates a cumbersome and abusable solution to something that was solved better already.
E.g., whatever happened to running something in a sandbox, ffs? You can go as far as running something untrusted (e.g., a plugin, ActiveX control, etc) in a virtual box, but even a chroot jail is a good start. It _is_ possible to isolate something to the point where it can't do any harm at all, and can't touch anything except itself. It's also possible to nice it to the point where it only runs when nothing else wants to, so it can't DOS your system that way.
So why doesn't anyone do just that already? E.g., MS could have fixed their own ActiveX crap that way ages ago. Instead we got this baroque, but fundamentally broken, model where you get to decide (or have decided for you based on zones) whether something can't run at all, or can run with full rights as an executable. Except if a malicious one slipped through the cracks, it's still a full executable running on your machine.
Heck, even Java is essentially the wrong way about it as a browser plugin. It tried to implement itself some restrictions which belong in the OS or browser itself, and if the JVM itself is compromised (there _have_ been a couple of JVM vulnerabilities), it can do anything. Kudos to Sun for trying that, but it's a workaround essentially. It shouldn't have been the JVM which does that, it should have been the OS and browser.
Whitelisting is just an extra step in that wrong direction, essentially. Instead of making sure that a malicious thing in the browser can't touch anything else, we're one step further in the baroque, fragile and monumentally work-intensive direction of determining which of them should be allowed. Except again, if something slipped through the cracks, you'll still get screwed so hard you'll walk bow-legged for a week.
Am I the only one who finds that dumb?
A polar bear is a cartesian bear after a coordinate transform.
It's already like this in the mobile environment, and it's a terrible pain for developers.
When making apps in Java/J2ME or Symbian (e.g. for Nokia nSeries), you need to have the client signed by a third party in order to use native resources like memory efficiently. While the signing process it not technically the same as a white list, is has similar consequences: You are hindered in successfully demonstrating your software for potential customers until some unknown person has expressed his subjective opinion about it.
I know cause we make such an application right now, and during development we're screwed, as we can't get around these limitations even on our development devices. It's no good.
IF this idea catches on, real world developers need to test the god damn system before they enforce it on people.
I'd like to expand on my first post by pointing out a few ways for fighting malware that are the most freedom-friendly, encouraging users to make responsible decisions. These depend on OS vendors employing sane UI policies:
Do not engage in filename-mangling! If a file is named "apicture.jpg.exe" then it MUST be displayed that way and must not undergo any automatic alteration (falsification) that, for instance, makes an executable appear as data.
Additionally, all executable files are shown with a red warning flag whenever that filename is displayed by the desktop, file manager or file dialog. This is important, as Windows will execute files ending in ".com" and this suffix is a part of most websites the user trusts; clicking on a "monster.com" file is natural so another indicator is necessary to cut down on trojans.
Make web site scripting purely an opt-in affair by default. This goes for anything else the html engine is used for, like chat clients.
No more "Open this file" option in download dialogs. Period. If the user cannot manage opening the file themselves from the regular UI, then hopefully they will get stuck and sign up for an introductory computer class.
Maybe a "NoScript Plus", like adblock plus, where a few trusted individuals (or a reputation based system) can be used to maintain an "auto-whitelist" for noscript. Users could then choose the level of "auto" whitelisting they wish to use... None (which is like it is now), Trusted Major Commercial (allowing google, yahoo, etc.), etc. I personally would choose None, but I can see that non-technical users would opt for someone else to maintain the a list (that they could still override locally.)
GEEK: It sets up the chroot jail or it gets the hose.
N00B: [sobbing hysterically]
GEEK:Yes, it will, Precious, won't it? It will get the hose!
N00B: Okay... okay... okay. Mister, if you let me go, I won't - I won't press charges I promise. See, my mom is a real important woman... I guess you already know that.
GEEK: Now it places the browser in the chroot jail.
N00B: Please! Please I wanna go home! I wanna go home please!
GEEK: It places the browser in the chroot jail.
N00B: I wanna see my mommy! Please I wanna see my...
GEEK: Put the fucking browser in the jail!
Please stop stalking me, bro.