Slashdot Mirror
Google Security Engineer Urges Hackers To Focus Less on Anti-Virus and Intrusion Products (theregister.co.uk)
Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort on tools like antivirus and intrusion detection and instead focus on more meaningful defenses such as whitelisting applications. From a report on The Register:The incident responder from Google's Sydney office, who is charged with researching very advanced attacks including the 2009 Operation Aurora campaign, decried many existing tools as ineffective "magic" that engineers are forced to install for the sake of compliance but at the expense of real security. "Please no more magic," he told the Kiwicon hacking conference in Wellington, New Zealand today. "We need to stop investing in those things we have shown do not work. And sure you are going to have to spend some time on things like intrusion detection systems because that's what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help. [...] Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying 'Thank god it inhaled all the poisonous gas'," he said.
According to the summary and article, he didn't say AV was a useless box-ticking exercise.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
Fuck this guy.
An antivirus may not protect against a new attack, but it sure can reduce the value of an existing exploit (thus increasing R&D costs for script kiddies while reducing their profits). Though it is rather amusing how some "antivirus" comes bundled with, or is itself, malware -- but much less amusing that it is legal.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Well, as a computer, that is. The great strength of a general purpose computer is just that - it can do anything.
Once you have a whitelisting "solution" on it, it can only do what the IT Dept. explicitly approves of, which now means that it's about as useful as an iPhone - only files that have been explicitly whitelisted are allowed to be executed.
A whitelisting client that actually locks things down properly won't even allow you to use the shell, well, it won't allow you to run .BAT files. Running the individual commands may still be allowed!
It might provide security, but at the cost of stifling the ability of "power users" (ie - programmers of limited ability - or indeed, any ability).
My last job installed one on the developer's computers... and gave us the permissions to override it. Pressing "OK" after every single build to be allowed to run it was... special.
Advice on safe internet use is "horrible", he added. Telling users not to click on phishing links and to download strange executables effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online.
The alternative is horribly locked down appliances that can't do what the user asks it to do. It means distrusting the owner of the device. There are scenarios where that can make sense where the role of the device is very well defined (ATMs, Point of Sale equipment, etc), but personal computers are by their very nature empower their users to do things the vendor would not have necessarily conceived of.
I agree that anti virus measures are not that good, but it just means that user education is all the *more* important, unless you don't want to let the users do anything or you don't have any users doing creative technical work.
XML is like violence. If it doesn't solve the problem, use more.
What Google means is "only allow Google Approved" software to run on your locked down device. That is what "whitelisting" means. Meanwhile Android is the biggest malware laden piece of shit on the planet when it gets deployed to real devices and Googles Ad network is a vector for drive by exploits. So fuck you Google.
He's not wrong about the problem, but Google has yet to show us what the silver bullet solution is. Android. nuff said.
See the pattern? Selling a locked down machine will become much easier with just a little FUD. However a user should have the option of whitelisting, works on spam also.
“He’s not deformed, he’s just drunk!”
I agree...that does look pretty racist. All those lawn jockeys are white. Where is the diversity?
>instead focus on more meaningful defenses such as whitelisting applications
They want to become the whitelisting authority, then to de-whitelist their competitors. Just like what Apple did. Too greedy!
There should be a law that states that any computer ("PC", "laptop") needs to be fully configurable by the end user by default. Every aspect of it needs to be controllable by the end user, network settings, which applications can run, which operating system can be installed, which BIOS or EFIS can be flashed, etc. If that's not the case, then the company should be forced to put a huge red warning sticker on it that clearly states "NOT A GENERAL COMPUTING DEVICE".
Yep. You have your HDMI cords for approved content, with your approved OS, and your approved websites, your approved ads, and your approved applications.
The problem is no one can be trusted really, I mean, in theory it sounds great, but who decides an application gets approved? We all know that applications will eventually be denied because they compete with a service they want you to pay for, and they'll (if caught) say oh it was a miscommunication we identified a problem with the app that needed to be corrected but we're definitely releasing this now as it's safe.
When really it was "Shit, if that releases right now it'll hurt our profits"
there's a very old anti-virus utility called "Vaccine" which did exactly this.
only programs on the whitelist were allowed to be run,
and every program was checked using a checksum in the products internal database.
You could allow and disallow products whenever you liked,
and it would automatically prompt you if you tried to run something that wasn't white listed.
now, of course, none of this, or what the article suggests will prevent stupid users from running stuff they shouldn't.
But, Vaccine was the best anti-virus tool of its time.
The problem with whitelisting is there has to be someone who does that whitelisting. Now that's fine in an enterprise organization. You presumably have trained IT staff who can test a program in a test lab and see if it is ok, if there's any issues against other programs, and so on. It does cost more, and slows down the speed at which you can adopt new software, but it is doable. However that only works because you have experts there who can test and make a presumably informed judgement call.
At home, there's nothing like that. How is a non-technical user to know if a program is evil or not? What they'll do in reality is just add anything they want to run to the whitelist since that is a prerequisite to making it run. They won't bother to actually check and see if it is harmful because how would they?
A virus scanner is useful to them because it can automatically tell them if something is bad. No, it doesn't do it 100% of the time, but most good ones have a pretty high hit rate. So they don't have to know what they are doing, just listen to the program on their system and if it says "nope" then don't run it.
As an aside, Google really needs to stop telling others what to do and get their own house in order first. The security situation in Android is pretty abysmal.
You presumably have trained IT staff who can test a program in a test lab and see if it is ok,
Not really. Malware is good at evading detection under VM/test environments.
slows down the speed at which you can adopt new software
This is the major advantage that whitelisting provides --- slowing down the speed is mostly the major security benefit.
You aren't just searching the web, downloading, and rolling out programs willy nilly.... you have to wait, which throws away a lot of malware because you weren't willing to wait, or you didn't realize you were trying to deploy software in the first place (Windows UI issue), or you didn't realize you should be careful, by adding delays and slowing down the process, it adds a cost to deploying new software, which makes it likely you will do it less often, which reduces exposure.
Also, slowing down the deployment means emergent malware will more likely be detected by Antivirus (slowing down to wait for whitelisting gives Antivirus time to catch up); Rolling out new code too fast and not being careful enough about where it came from and the details, adds malware risk.
At home, there's nothing like that. How is a non-technical user to know if a program is evil or not?
You can simulate it. Do your due dilligence on the author and the website you get it from before you download and run their software. Only run software that is from either an established vendor, Or is open source, or has been out for more than a couple years and has a following.
Download and wait at least a few weeks before you run the new program. Check for news to make sure there's no new bad news about the program or its author.
Update and maintain realtime AV, and scan it before installing.
gpedit.msc Setup software restriction policies at computer level for non-admins to block program execution from C:\Users .LNK from denied list
remove
"So who claimed he did? Are you arguing with the voices in your head again?"
my rss feed claims that slashdot ran this originally with the headline "antivirus tools are a useless box-ticking exercise says google security engineer".
Way to stigmatize critical thinking and mental health in the same AC tweet scale word vomiting.
You can't whitelist everything you need to, and you can't trust end users to be able to do that all themselves (no matter how many dialogs you pop up). A/V is only capable of doing so much, so users still need educations.
The other option, as this Google engineer proposes, is to lock everything down and only allow vetted programs. This is called Trusted Computing (a.k.a. Treacherous Computing) for software and digital rights management (digital restrictions management) for media. These are very secure (so long as you trust the vetting agency), but they promote too much vendor lock-in and they directly combat Free Software.
Use my userscript to add story images to Slashdot. There's no going back.
I advocate for and fund projects (one of the biggest funders thereof) that are giving users the absolute maximum control of their devices, but despite this I'd agree that users should generally only be provided with a simple means of installing applications from a set of software that has been deemed safe, and the complete set of source code is available. This does not mean users should be prevented from installing 'unauthorized' applications. That's also the wrong take on it. There is a huge difference between 95% of the population that need streamlining and the 5% of the population that doesn't.
The problem we have today is that software developers don't finish the job. If they would submit their software to repositories and everybody would release the complete set of source code we'd be all be in much better shape. The closed worlds of Microsoft and Apple at the biggest threat. The problem is distributions like Ubuntu are only slightly better. The advantage with Ubuntu for 95% of the population is 50% of this market segment can be covered simply from the applications included on the install disc and/or from the repository. With only maybe one or two applications outside the repository being desirable. If Ubuntu would remove the non-free software and Adobe/Google would release the full code and submit its applications to the repository we'd be all set (while I've never seen a user demand Skype that might not hurt either).
and all the help US brands gave the US mil and gov.
When a US brand asks the wider global security community to do anything different, thats the time to start really looking.
Any safe product would not be doing anything to make any AV product interested over days, weeks, months of updates?
What is it about skilled, advanced global AV efforts that induced such a request?
Users need layers of good security applications. Intrusion detection, firewalls, working real crypto, software looking for changes deep in an OS in realtime, outgoing software firewalls...
Then recall what the big safe brand products did with PRISM.
Domestic spying is now "Benign Information Gathering"
At home, there's nothing like that. How is a non-technical user to know if a program is evil or not?
Decent end-user security software has a "learning mode" for this kind of thing. This still does require a degree of trust that your application vendor isn't malicious, but honestly the the professionals in corporate security are forced to make that assumption too... nobody audits everything.
I had huge problems implementing white lists in a previous work (software development company).
However it is real that this is the only solution. It is "very" painful, but what medicine is not painful to take or have bad said effects?" The huge mistake was to think on general purpose computers where you can mix the highly sensitive stuff with reading newspapers or Facebook profiles and visiting dangerous places; this is the same as to say that you can walk without care through a hall full of mosquitoes with Zika. You need to do something, to cover yourself, to put a lot of poison around you (that also can kill you), or just not to go there.
But today we have extremely powerful single board computers and mobiles with technology that could be reused to define different types of devices having multiple running environments. Then, you can have more than one computer or more than one computer module devoted to the risky stuff and other modules working the sensitive things, together with a well designed protocol defined to use the best (and safe) parts on every side. In general ... something must change, we can't continue walking the same path, this will go nowhere.