Internet Security Moving Toward 'White List'

ehud42 writes "According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer will replace the current 'black list' system' as described in an article on the CBC's site. The piece mentions some issues with fairness to whose program is 'safe' including a comment that judges need to be impartial to open source programs which can change quite rapidly. Would this work? The effort to maintain black lists is becoming so daunting that white lists may be an effective solution."

Again?

[suv4x4]

Certificates were intended as a white list: you protect the submitted data and have certificate from a central authority that this is indeed the company the certificate says it is.

We know how this ended (certificates given left and right without proper verification).

Now they try again with new certificates, which are more expensive.

So that's about that part.

What about site filters. Whitelisting sites in security suites has got to be the dumbest idea I've heard in a long time. Last I checked there's like billions of pages out there, some of which safe and some not.

So now that we find it impossible to cover the entire subset of malicious pages, what do we do? Yes, we try to cover the even great subset of legal pages.

This will either end with many small harmless sites filtered out, or sites having to pay ransom to all security suite vendors out there to get whitelisted or something of a similar nature.

Not happening.

Re:Not going to happen

[Architect_sasyr]

127.0.0.1

Re:Not going to happen

according to my scanner, that machine is totally compromised

And why would I trust Symantecs opinion?

[CaptainZapp]

Remember the Sony rootkit fiasco? Remeber that F-Secure was the only security company detecting it and approaching Sony?

This leads to the conclusion that all other "security"-companies where either in bed with Sony, or that their "security"-products are utterly useless. I'm not sure, which is worse.

So why again should I give a rats ass about the opinion of those guys, when it comes to security?

Where are the Web Safety basics ?

[Burz]

Indeed, the only possible "success" from the whitelist idea is that the Internet morphs into television (shudder).

Q: Where has the Internet failed?

A: Its main proponents and enthusiasts ignored Drivers' Ed for the info-superhighway. They didn't teach people how to use web browser and email programs, didn't show how to read a URL and pay attention to the protocol and domain, nor instill the habit of mousing-over links to see where they go beforehand. Teaching people about the padlock symbol should have also included how to deal with SSL certificate alerts.

The result of this neglect is that people cannot recognize authenticity on the Internet, so the value of the Internet's "currency" is spoiling. Imagine if people weren't clued-in on how to authenticate a $20 bill: Over time only certain government and corporate entities would be trusted to handle currency to prevent spoiling by counterfeiters.

Our job as Internet cognoscenti is to keep correcting the people around you on the right way to use Web and email. Granted, this is not a cure-all given the other major factor here (Windows malware) but its several steps in the right direction. This stuff is not hard.

The alternative is an Internet-II re-worked around big corporations and government sites through a whitelist enforced by Trusted Computing remote attestation. Don't think they won't be opportunistic enough to scare the public into that corner.

You maybe more right than some realize

[Moraelin]

You may be more right than some probably realize. See, whitelisting is essentially all that "trusting computing" was about.

Yes, "trusted computing" had all that DRM stuff and crypto signatures and all components authenticating themselves and their drivers, but essentially that's what you need to have a bullet-proof whitelist.

- E.g., if you don't have a strong hash to be sure that it indeed is the program you think you're running, and it's an untampered executable, then you don't really know what you're running. (E.g., if you were to do it just by name, and you allow, say, "WoW.exe", then you'll also run a virus attachment called "WoW.exe" just as cheerfully.)

- E.g., if you don't make the system startup itself bullet-proof, people will use spoof drivers and whatnot to compromise that security

So basically we're essentially back to the same Palladium shit that we ranted and raved against as the great Satan. It's what MS wanted in Vista in the first place, but apparently realized grudgingly that noone else wanted. And _of_ _course_ Vista would be on the list. In fact, better than that, Vista was supposed to be the one enforcing it. (Which, if you think about it, is pretty much needed. If the OS doesn't do it, and doesn't double-check its startup and components at that, any other link down the chain is not guaranteed to be guaranteed enough to be the uncompromised.)

So now it's snuck back under the same claim that you need it to protect you from the evil hackers. Right.

Well, the problems are the same any way anyone wants to slice it. E.g.,

- it essentially discourages running stuff you compiled yourself. (Just changing the options you compile a kernel with, for example, is enough to change the hash, if the hash is any good. So essentially the only safe thing a "trusted computing" system should conclude there is that the system itself has been tampered with and is no longer secure or trustable.)

- it places an undue burden on small time developpers and hobbyists. I know if I was distributing a small utility on sourceforge, I'd be annoyed if I had to re-certify it every time I refactor something or fix some obscure bug. Doubly so if it costs anything to get it certified, which would likely be the case if a commercial entity is doing it. Getting it virus scanned, ran through some automated heuristics, hashed, and put on the list, can take some time and infrastructure and a paid employees time costs money.

And, frankly, even if it was something as trivial as 10$, why would I pay it for something that makes me no money? It'd be like ROI except without the R. And if you want it thoroughly dissected and certified that it 100% can't possibly be a virus, then it'll cost a heck of a lot more than that.

- it can be used to shaft you the other way around too. A program can authenticate the system it runs on, and some might even need to. (E.g., I sure hope an anti-virus utility pipes up loudly if it thinks it runs on a system where the OS itself has been compromised. E.g., I sure hope a banking applet pipes up loudly if it runs in a browser that's been compromised.) So there's nothing to keep someone from making a program that refuses to run in Wine or a flash applet that refuses to work in Mozilla.

And if you think noone other than MS would ever do that, think again. There was this recent story even on Slashdot about webmasters who explicitly don't want Mozilla users because they block their ads.

Etc.

What happened to good OS design?

[Moraelin]

Frankly, I'm not all for this idea. It creates a cumbersome and abusable solution to something that was solved better already.

E.g., whatever happened to running something in a sandbox, ffs? You can go as far as running something untrusted (e.g., a plugin, ActiveX control, etc) in a virtual box, but even a chroot jail is a good start. It _is_ possible to isolate something to the point where it can't do any harm at all, and can't touch anything except itself. It's also possible to nice it to the point where it only runs when nothing else wants to, so it can't DOS your system that way.

So why doesn't anyone do just that already? E.g., MS could have fixed their own ActiveX crap that way ages ago. Instead we got this baroque, but fundamentally broken, model where you get to decide (or have decided for you based on zones) whether something can't run at all, or can run with full rights as an executable. Except if a malicious one slipped through the cracks, it's still a full executable running on your machine.

Heck, even Java is essentially the wrong way about it as a browser plugin. It tried to implement itself some restrictions which belong in the OS or browser itself, and if the JVM itself is compromised (there _have_ been a couple of JVM vulnerabilities), it can do anything. Kudos to Sun for trying that, but it's a workaround essentially. It shouldn't have been the JVM which does that, it should have been the OS and browser.

Whitelisting is just an extra step in that wrong direction, essentially. Instead of making sure that a malicious thing in the browser can't touch anything else, we're one step further in the baroque, fragile and monumentally work-intensive direction of determining which of them should be allowed. Except again, if something slipped through the cracks, you'll still get screwed so hard you'll walk bow-legged for a week.

Am I the only one who finds that dumb?